Garo Garabedyan's Divergent Thinking Blog

Ajax enabled web unfolds many new CSRF security problems

leave a comment »

SPI Dynamics, Inc., a leading provider of web application security assessment software and services, which was acquired by HP in 2007, have revealed JavaScript techniques for compromising the intranet security of a user browsing hacker’s web page. Sadly, I have failed short to find an URL to the original paper but the hacking approach is explained in details in Martin Johns, A First Approach to Counter ”JavaScript Malware”, 2006.

The Intranet scanning scenario using JavaScript loaded in the browser from an ordinary Internet web site:

  1. The script constructs a local URL that contains the IP address and the port that shall be scanned.
  2. Then the script includes an element in the webpage that is addressed by this URL. Such elements can be, e.g., images, iframes or remote scripts.
  3. Using JavaScript’s time-out functions and eventhandlers like onload and onerror the script can decide whether the host exists and the given port is open: If a time-out occurs, the port is probably closed. If an onload– or onerror-event happens, the host answered with some data, indicating that the host is up and is listening on the targeted port.

The cross-domain networking capabilities of JavaScript are restricted by the Same origin policy (SOP). However, this policy allows including elements from cross domain http hosts into the DOM tree of the document that contains the JavaScript. This exception in the networking policy and the fact that the SOP applies on a document level creates a loophole in SOP.

A carefully crafted JavaScript code can port scan the intranet network of a web visitor and access its resources. Simply relying on the firewall to protect intranet http server against unauthorized access is not sufficient.

Advertisements

Written by garabedyan

April 28, 2011 at 16:26

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s