|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
|
SPI Dynamincs Warns of "Potentially Devastating JavaScript Attack"
JavaScriptSearch Internet security company S.P.I. Dynamics announced the discovery of a new technique to scan a network, fingerprint all the Web-enabled devices found, and send attacks or commands to those devices. This technique can scan home or corporate networks protected behind firewalls. The code that does this is written in JavaScript and uses parts of the standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for the end user other than turning off JavaScript support in the browser. The code can be part of a Cross-Site Scripting (XSS) attack payload, thereby increasing the potential damage caused by XSS. These vulnerabilities are extremely common and large companies like MySpace.com and Yahoo.com have had high-profile XSS attacks that affected millions of users in the past year. “Web application vulnerabilities, particularly cross-site scripting, are most frequently viewed by security professionals as a nuisance. However, SPI Labs has been closely tracking the escalating damage that these vulnerabilities can cause as they become mainstream,” said Billy Hoffman, Lead Research Engineer, SPI Labs. “This potentially devastating JavaScript attack, along with the growing exploitation of Cross-Site Scripting, demonstrates that these vulnerabilities should no longer be last in line to be addressed. There is no such thing as a harmless XSS vulnerability.” To help reduce the risk of port scans with JavaScript, SPI Labs recommends the following actions be taken:
For more information, a detailed briefing on this exploit can be found by visiting http://www.spidynamics.com/assets/documents/JSportscan.pdf, and a proof of concept demonstration can be found at http://www.spidynamics.com/spilabs/js-port-scan/.
|
|
Copyright © 1998 - 2018 DevStart, Inc. All Rights Reserved |