Network News

X My Profile
View More Activity

Javascript Attacks on Steroids

LAS VEGAS -- Just sat through a rather disturbing presentation here at Black Hat on how bad guys can use Javascript to circumvent hardware and software firewalls and wreak havoc on a target's internal network.

Jeremiah Grossman and T.C. Niedzialkowski, both of Santa Clara, Calif.-based WhiteHat Security, showed Javascript tricks that could allow attackers to monitor which sites users have visited, change the configuration of their firewalls, and even record victims' keyboard strokes.

Javascript is a powerful programming language that works seamlessly across multiple Web browsers and operating systems, but online criminals can tap into that power to effectively force browsers that visit malicious sites to do their bidding.

Using a Web server he and Niedzialkowski had seeded with invisible code, Grossman demonstrated how he could view which sites a test browser had recently visited. The code also divulged the user's internal network address -- information that is supposed to be hidden by the firewall. Later in the demo, he showed a Javascript attack that altered the test victim's firewall settings to allow attackers to punch through directly into the internal network.

Javascript attacks have become more prevalent over the past year. Many sites that cater to people searching for "cracks" -- copy-protection hacks that make it easier to use pirated software -- routinely use scripts to silently install malware.

Grossman said an attacker who managed to compromise a large number of computers using Javascript would have no trouble forcing those victims to unknowingly participate in all kinds of illegal activities, from click fraud to downloading illegal content, or using the combined power of the affected machines to conduct denial-of-service attacks capable of knocking a targeted Web site offline.

There are free tools available to help users block certain types of Javascript attacks. The NoScript extension for Firefox blocks all scripts by default, allowing the user to turn Javascript back on if they visit a trusted site and want to view content that requires it. But NoScript also remembers which sites the user has selected, and Javascript attacks are increasingly showing up on social-networking sites like and other places that many users implicitly trust.

Another tool I use on most of my machines is the Netcraft Toolbar, which does a pretty decent job of warning you before the browser loads sites that attempt to use known javascript attack code.

But Grossman cautioned that these tools are not a comprehensive antiscript shield. "These are all designed to spot the bad sites, not necessarily good sites doing bad things," he said.

By Brian Krebs  |  August 3, 2006; 4:20 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Intel Issues Patches to Fix Wireless Flaws
Next: At Least 12 Patches from Microsoft Next Week


Did you know that you can significantly speed up Firefox? You can find manual how to easily speed up Firefox over here: speed up firefox

Posted by: melon | August 4, 2006 5:42 AM | Report abuse

Brian, are these attacks browser-specific at all? Did the presenter give any info as to what APIs were the points of vulnerability? I'm thinking if they are APIs intended more for desktop integration, it might be possible for browser makers to turn them off, but if they are the core APIs of Javascript, then the problem is much tougher. With so many sites already completely reliant on Javascript, it's becoming less and less feasible to simply turn it off while browsing. The arrival of AJAX only makes the problem worse.

P.S. Brian, is it possible to block those "speed up firefox" spammers?

Posted by: Qian Wang | August 4, 2006 9:23 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company