Start Secure. Stay Secure.TM SPI Labs Research Brief Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript By SPI Labs Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications Imagine visiting a blog on a social site like MySpace.com or checking your email on a portal like Yahoo's Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours. This scenario is no longer one of fiction. Overview SPI Labs has discovered a technique to scan a network, fingerprint all the Web-enabled devices found, and send attacks or commands to those devices. This technique can scan networks protected behind firewalls such as corporate networks. All the code to do this is written in JavaScript and uses parts of the standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for the end user other than turning off JavaScript support in the browser. The code can be part of a Cross-site scripting (XSS) attack payload, thereby increasing the damage XSS can do. XSS vulnerabilities are extremely common and large companies like MySpace.com and Yahoo.com have had high-profile XSS attacks that affected millions of users in the past year. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 2 Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications Getting Inside the Intranet The scanner is written in JavaScript, which can be embedded into an HTML page. Simply viewing the page will download the JavaScript along with the HTML to a user's browser, automatically executing the code once loaded. It does not matter if the user is sitting in a coffee shop using a wireless hotspot or inside an office building using a corporate network. If a user can browse the Web, he or she can visit a page that includes the scanner and have his or her network, whether internal or external, be scanned and attacked. The scanner can be included in a site an attacker controls, or injected into popular sites using XSS vulnerabilities. Finding Targets The scanner begins by scanning for targets. This is accomplished by implementing a "ping" feature using the JavaScript Image object. The source attribute of an Image points to the IP address the scanner wants to ping. Using a timer and the onload/onerror functions, the scanner can determine whether there is a host at that address. While the Image object probe will detect whether the host is there, it will not detect whether there is a Web server listening on the host. To confirm the presence of a Web server, the scanner uses an HTML IFrame tag with a timer and an onload function. If the onload event occurs before the timer does, the scanner knows it is receiving HTTP traffic from the host, confirming the existence of a Web server. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 3 Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications Fingerprinting Applications in JavaScript Once the scanner has detected a host and confirmed it has a Web server, the scanner tries to fingerprint the Web server to determine its type and version number. This is done using the Image object to retrieve graphics from well known locations on the device. For example, most Microsoft IIS Web server's have an image /pagerror.gif that is 36 by 48 pixels in size. Most installations of the Apache Web server have an image /icons/c.gif that is 20 by 22 pixels. More specific applications can also be detected. Linksys WRK54G wireless routers have an image /UI_Linksys.gif that is 165 by 57 pixels while the Plone wiki applications have an image /plone_powered.gif that is 80 by 15 pixels. By testing for several images and checking their respective sizes the scanner can more accurately fingerprint an application and can even detect the versions of the application. Launching Attacks Fingerprinting the application lets us know what type and version number we are dealing with. The scanner can look for applications it knows are vulnerable to different attacks. By dynamically building HTML forms and automatically submitting them, the scanner can send attacks using either GET or POST against the application. At the very least, the information collected from scanning and fingerprinting can be sent to the attacker to assist in planning another attack. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 4 Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications Proof of Concept Code SPI Labs has created a Web page that implements the detection and fingerprinting functionality of a full scanner. This site is available to the public, and can be found at http://www.spidynamics.com/spilabs/js-portscan/. It does not automatically start scanning or attacking any internal applications. Instructions for starting the scan are included on the Web page. Increased Danger from Cross Site Scripting XSS vulnerabilities are already very dangerous. Malicious script executing on a user's machine can do a variety of things. Cookies and other authentication tokens can be stolen using XSS to hijack a session. This allows an attacker to access your account on a Website and interact with the site using your identity. XSS can be used to capture keystrokes that the user types into the browser. This makes it very easy to steal usernames and passwords [1]. Phishers are now using XSS vulnerabilities to create more realistic phishing attacks [2]. XSS can be used to scrape the contents of the screen, or to receive and perform commands from a third-party [3]. Ajax can even be used to amplify a traditional XSS attack into a full-blown self-propagating Web virus, such as the MySpace.com [4] virus in October 2005 or Yahoo's Yamanner virus [5] in June 2006. Most of these traditional XSS attacks target the Website where the XSS vulnerability exists and the damage of the attack is limited by the features of that Website. For example, session hijacking is only damaging if the site that has the XSS vulnerability actually issues session state and does something © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 5 Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications meaningful with it. The danger is that scanning and attacking internal applications or systems targets the end user. This means any XSS vulnerability on any site can be used to attack the end user, regardless of the features of the vulnerable site. There is no longer any such thing as a harmless XSS vulnerability. Disclosure of Information The ability to port scan and attack internal application drastically increases the damage XSS can do. More information about this topic will be presented at the BlackHat USA 2006 security conference in Las Vegas. Jeremiah Grossman of WhiteHat Security will present detailed information during his presentation Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" on August 3 at 10 a.m. Billy Hoffman of SPI Dynamics will also discuss the topic during his presentation AJAX (in)security on August 3 at 11:15 a.m. SPI Labs is releasing this information now to ensure that as many people as possible are aware of this increased danger from XSS vulnerabilities. Recommendations To help reduce the risk of port scans with JavaScript, follow these recommendations: · · Have your applications assessed for security vulnerabilities. Ensure that all input is validated before being processed. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 6 Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications · Use whitelisting rather than blacklisting for validation. Whitelisting involves accepting what you know to be good data, while blacklisting uses a list of data not to allow. Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input. For example, you know that the zip code should always be five numbers; whitelisting the zip code input means accepting only five numbers and nothing else. · Add network Intrusion Detection System (IDS) rules for scanning behavior. Additional Information Additional information on possible Cross-site scripting attacks can be found at the following locations: Cross-Site Scripting: Are your Web applications vulnerable? http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf The Cross-Site Scripting FAQ http://www.cgisecurity.com/articles/xss-faq.shtml Port Scanner http://en.wikipedia.org/wiki/Portscan References 1. http://www.winfuture-forum.de/lofiversion/index.php?t72053.html © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 7 Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications 2. http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_ allows_identity_theft.html 3. http://xss-proxy.sourceforge.net/shmoocon-XSS-Proxy.ppt 4. http://namb.la/popular/ 5. http://www.computerworld.com/action/article.do?command=viewArticl eBasic&articleId=9001246 About SPI Labs SPI Labs is the dedicated application security research and testing team of S.P.I. Dynamics. Composed of some of the industry's top security experts, SPI Labs is specifically focused on researching security vulnerabilities at the Web application layer. The SPI Labs mission is to provide objective research to the security community and give organizations concerned with their security practices a method of detecting, remediating, and preventing attacks upon the Web application layer. SPI Labs industry leading security expertise is evidenced via continuous support of a combination of assessment methodologies which are used in tandem to produce the most accurate web application vulnerability assessments available on the market. This direct research is utilized to provide daily updates to S.P.I. Dynamics' suite of security assessment and testing software products. These updates include new intelligent engines capable of dynamically assessing web applications for security vulnerabilities by crafting highly accurate attacks unique to each application and situation, and daily additions to the world's largest database of more than 5,000 application layer vulnerability detection signatures and agents. SPI Labs engineers comply with the standards proposed by the Internet Engineering Task © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 8 Start Secure. Stay Secure.TM Detecting, Analyzing, and Exploiting Intranet applications Force (IETF) for responsible security vulnerability disclosure. Information regarding SPI Labs policies and procedures for disclosure are outlined on the S.P.I. Dynamics Web site at: http://www.spidynamics.com/spilabs/. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 9