[Eug-lug] How secure is Javascript?

Allen Brown abrown at peak.org
Wed Jul 9 16:49:07 PDT 2008 

The rule with fleas is: for every one you see there are at
least 10 more.

Besides, if you can get out to ports like this
to perform a scan, what is to stop you for exploiting the
ports you find?  No, this feels too much like complete
bypass of a firewall.
-- 
Allen Brown
http://brown.armoredpenguin.com/~abrown

> It might not be much by itself but it would be helpful if you were
> gathering information for a more targeted attack. I don't have the
> code; I just know that he was working on it and he shared the results
> when he got it finished. It took him about a day to do.
>
> On Wed, Jul 9, 2008 at 4:22 PM, Jimmy Hendrix
> <jimmythedestroyer at gmail.com> wrote:
>> I would love to see the code to do that.  Although it is worth noting
>> that
>> an internal port scan isn't worth much since you would need to crack the
>> perimeter firewall or take full control of the machine through some
>> other
>> method before the info is worth anything.  Otherwise you would know what
>> ports are open, but the firewall would stop you from exploiting them.
>>
>> Jimmy
>>
>> On Wed, Jul 9, 2008 at 3:57 PM, M. Bitner <moexu13 at gmail.com> wrote:
>>>
>>> I started religiously running NoScript in Firefox after a colleague of
>>> mine figured out how to write a port scanner in Javascript. So if you
>>> went to his page with Javascript  enabled he would able to have you
>>> run a scan of your internal network, as your user, with your
>>> permissions, regardless of firewall settings. So my answer would be
>>> that even if Javascript has gotten safer it doesn't mean that people
>>> haven't figured out clever things to do with it that you wouldn't want
>>> to happen.
>>>
>>> On Wed, Jul 9, 2008 at 3:53 PM, Allen Brown <abrown at peak.org> wrote:
>>> > I am moderately paranoid about allowing web sites run javascript
>>> > in my browser.  (I use NoScript in Firefox.)  Basically I only
>>> > enable it if I know the owner of the site or trust them because
>>> > of who they are.  Examples: personal friends or banks.
>>> >
>>> > Am I being unnecessarily paranoid?  Has Javascript gotten good
>>> > enough that I can let my guard down?  How do you all handle this?
>>> > --
>>> > Allen Brown  abrown at peak.org
>>> >  http://brown.armoredpenguin.com/~abrown/
>>> >  Criticism may not be agreeable, but it is necessary. It fulfils
>>> >  the same function as pain in the human body. It calls attention
>>> >  to an unhealthy state of things. --- Sir Winston Churchill
>>> > _______________________________________________
>>> > EUGLUG mailing list
>>> > euglug at euglug.org
>>> > http://www.euglug.org/mailman/listinfo/euglug
>>> >
>>> _______________________________________________
>>> EUGLUG mailing list
>>> euglug at euglug.org
>>> http://www.euglug.org/mailman/listinfo/euglug
>>
>>
>> _______________________________________________
>> EUGLUG mailing list
>> euglug at euglug.org
>> http://www.euglug.org/mailman/listinfo/euglug
>>
>>
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug
>

More information about the EUGLUG mailing list