Popularity: 3
Simplicity: 5
Impact: 6
Risk Rating: 5
JavaScript attack tools do not always focus on attacking the user but can instead use a compromised user to attack other targets of interest. For example, one particular bit of
Figure 4-5 HistoryThief
malicious JavaScript uses the browser as a tool to portscan the internal network. This is a significant variation from traditional portscans, because modern networks are virtually guaranteed to be protected from external portscans by a firewall and use of Network Address Translation (NAT). Often the reliance on a firewall leads to the internal network being left unhardened against attack. By using JavaScript to cause a victim’s browser to perform the portscan, the scan will be conducted from inside the firewall and will provide an attacker with otherwise unavailable information.
Originally discussed in research by Jeremiah Grossman and Billy Hoffman, malicious JavaScript can be used in a number of ways to conduct a portscan of internal machines.
Regardless of which way the scan is conducted, the first step in a JavaScript portscan is determining which hosts are up on the internal network. While this was traditionally performed by pinging hosts with Internet Control Message Protocol (ICMP), in the browser it is accomplished by using HTML elements. By using an HTML <img> tag pointing at sequential IP addresses on the network and the JavaScript onload and onerror functions, malicious JavaScript inside the browser can determine which hosts on the internal network are reachable and which are not. Once the available hosts are enumerated, actual portscanning of the hosts can begin. Scanning for internal web servers (TCP port 80) is the simplest exercise, as it can be completed by using the HTML
<script> tag and the JavaScript onerror event. By using the <script> tag in a form such as <script src="http://targethost">, an attacker can determine whether a web server is running on the targethost. This is due to the fact that if HTML is returned (that is, if a web server is up), the JavaScript interpreter will throw an error. However, if no web server is running, a timeout will occur.
While both ping scans and web server scans are easily performed, scanning for other network ports changes per browser and per version. For example, Firefox limits connectively to certain low-numbered ports. As such, reliable tools exist only for performing ping scans and web server scans.
Multiple tools can be used to perform portscanning in JavaScript. SPI Dynamics released a proof of concept tool that can be used to scan for and identify web servers. An implementation that is capable of scanning multiple ports was released by Petko Petkov and is available at www.gnucitizen.org/projects/javascript-port-scanner/portscanner.js.
Unlike attacks with other tools, this attack can be performed even if the victim has disabled JavaScript in her browser. Jeremiah Grossman published research that demonstrated that by simply using the HTML <link> and <img> tags, a network could be portscanned for web servers without the use of JavaScript. This attack is performed by loading a Cascading Style Sheet (CSS) through the <link> tag, which points to the IP of the host that the attacker wishes to portscan. An <img> tag is then pointed back to a server that the attacker controls and passes the current time as an argument. If a machine is not running a web server, the <link> tag attempting to load a CSS from it will time out. By looping through the IP addresses of all internal hosts the attacker wants to scan and measuring the time differences of when the <img> tag gets processed, the attacker can determine which internal hosts are running web servers.
As shown by Ilia Alshanetsky, forcing a victim’s browser to portscan an internal network can also be completed without JavaScript. Ilia took Jeremiah Grossman’s
research a step further and published a pair of proof of concept PHP scripts. These scripts allow an attacker to force a victim’s browser to conduct a portscan of internal IP addresses.
This tool can be used by an attacker using the following steps:
1. The attacker downloads the two PHP scripts displayed at http://ilia.ws/
archives/145-Network-Scanning-with-HTTP-without-JavaScript.html and host it on a web server under his control, such as http://www.cybervillains.com/
scan.php.
2. The attacker edits the script that performs the scans and modifi es two HTML tags. First, the attacker edits the <link> tag on line 13 to set the internal IP range he wants to force the victim’s browser to scan. Second, he edits the
<img> tag on line 14 to point to scan.php script on the web server under his control. When a victim views the page, scan.php will save the results of the portscan to a text fi le in the /tmp/ directory. The attacker can then read the victim’s web server logs to see these results.
3. The attacker then forces the victim to view the www.cybervillains.com/scan.php URL, through an attack such as a phishing e-mail or a browser vulnerability.
4. Finally, the attacker views the logs created in /tmp/ by scan.php and reviews the results of the portscan obtained from the victim’s browser. As shown in Figure 4-6, when a victim visits the port scanner HTML page, a fi le is created in /tmp/ on the attacker’s web server. This fi le will contain information on the sequential range of IP addresses scanned inside the victims internal network.
Figure 4-6 Port Scanner Output