SPI Dynamincs Warns of "Potentially Devastating JavaScript Attack"

SPI Labs Discovers Dangerous JavaScript Exploit; Urges Web Operators to Quickly Address XSS Vulnerabilities

JavaScriptSearch
Monday, July 31, 2006; 06:29 AM

Internet security company S.P.I. Dynamics announced the discovery of a new technique to scan a network, fingerprint all the Web-enabled devices found, and send attacks or commands to those devices.

This technique can scan home or corporate networks protected behind firewalls. The code that does this is written in JavaScript and uses parts of the standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for the end user other than turning off JavaScript support in the browser.

The code can be part of a Cross-Site Scripting (XSS) attack payload, thereby increasing the potential damage caused by XSS. These vulnerabilities are extremely common and large companies like MySpace.com and Yahoo.com have had high-profile XSS attacks that affected millions of users in the past year.

“Web application vulnerabilities, particularly cross-site scripting, are most frequently viewed by security professionals as a nuisance. However, SPI Labs has been closely tracking the escalating damage that these vulnerabilities can cause as they become mainstream,” said Billy Hoffman, Lead Research Engineer, SPI Labs. “This potentially devastating JavaScript attack, along with the growing exploitation of Cross-Site Scripting, demonstrates that these vulnerabilities should no longer be last in line to be addressed. There is no such thing as a harmless XSS vulnerability.”

To help reduce the risk of port scans with JavaScript, SPI Labs recommends the following actions be taken:

• Have your Web applications assessed for security vulnerabilities immediately, and continue to do so on a frequent periodic basis.
• Ensure that all input is validated before being processed.
• Use whitelisting rather than blacklisting for validation. Whitelisting involves accepting what you know to be good data, while blacklisting uses a list of data not to allow. Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input. For example, you know that a U.S. zip code should always be five numbers; whitelisting the zip code input means accepting only five numbers and nothing else.
• Add network Intrusion Detection System (IDS) rules for scanning behavior.

For more information, a detailed briefing on this exploit can be found by visiting http://www.spidynamics.com/assets/documents/JSportscan.pdf, and a proof of concept demonstration can be found at http://www.spidynamics.com/spilabs/js-port-scan/.