[Eug-lug] How secure is Javascript?

Ben Barrett stircrazyben at gmail.com
Thu Jul 10 12:54:36 PDT 2008 

And it is actually useful, too, in certain applications.  Like seeing
if a host is alive!!
Note:  this is not quite port scanning.  Every tool is a weapon if you
hold it such-and-such-ways... some tools are more dangerous than
others, as are some users....

~ben


On Thu, Jul 10, 2008 at 10:38 AM, M. Bitner <moexu13 at gmail.com> wrote:
> I heard back from my colleague - this is what he wrote:
>
> I didn't write the original version; I found the base code at SPI
> Dynamics and modified it from there.
>
> Attached is the proof of concept code I was working with.  Currently it
> just scans the ip range given, determines if the host is active, if
> there is a webserver, and attempts to identify if the webserver is IIS
> or Apache.
>
> This works cross browser as long as javascript is allowed.
>
> Something like this could be included into almost any page, it could
> figure out the host IP address automatically, scan that netblock, post
> the data back to a host, get further instructions based on what
> ports/services are available, etc, all via Ajax actions or a hidden
> Iframe, or probably other ways too.
>
> Basically, this could provide a way for an attacker to gain access to
> information/services that are *inside* the firewall by simply getting
> you to load a web page.
>
> Pretty cool stuff!  :)
>
> Let me know if you need any more information...
>
> On Thu, Jul 10, 2008 at 9:30 AM, Ben Barrett <stircrazyben at gmail.com> wrote:
>> Did anyone search for this, or are they too paranoid?  :)
>> There are a number of results, appears to not be unique at all...
>> http://www.google.com/search?q=javascript+%22port+scan
>>
>> One method uses <script src="...."> and typeof on the result to get a signature;
>> another uses only HTML, using the link tag to attempt to load what the
>> browser thinks is a CSS,
>> and then call upon an IMG which is really a timer script.
>>
>> JS:  http://www.gnucitizen.org/projects/javascript-port-scanner/
>> and http://michaeldaw.org/projects/jsescanner/
>>
>>
>> ~ben
>>
>>
>> On Thu, Jul 10, 2008 at 9:05 AM, M. Bitner <moexu13 at gmail.com> wrote:
>>> It might have been IE only, I'm not sure. I don't work in the same
>>> place but I can try and find out some more details from my former
>>> colleague.
>>>
>>> On Wed, Jul 9, 2008 at 10:47 PM, Neil Parker <nparker at lyl.llx.com> wrote:
>>>> Another thing worth remembering is that just as Javascript itself differs
>>>> quit a bit from browser to browser, so do its security issues.  A
>>>> feature (?) that makes it possible to write a port scanner in one
>>>> browser might not exist at all in another browser.
>>>>
>>>> Traditionally Internet Explorer has been considered the worst offender
>>>> security-wise.  In part this is because it lets you say "x = new
>>>> ActiveXObject(...)", which sometimes makes it possible for Javascript to
>>>> invoke components that were never intended to be used by a web browser.
>>>> (Remember last year's Month of Browser Bugs?  Most of the IE bugs on that
>>>> list revolved around ActiveXObject.)
>>>>
>>>> ActiveXObject, and its security implications, are completely absent in
>>>> Firefox.  Not that Firefox has been free of Javascript security holes,
>>>> though...as it evolved from 2.0 to 2.0.0.15, many of the updates
>>>> included patches for Javascript security holes.  Several of these involved
>>>> ways for Javascipt to elevate its permissions from content (highly
>>>> restricted) to chrome (unrestricted, with full access to your filesystem
>>>> and the network).
>>>>
>>>>
>>>> I'd be highly interested to learn how that port scanner worked.  Did it
>>>> depend on one particular browser?
>>>>
>>>>               - Neil Parker
>>>> _______________________________________________
>>>> EUGLUG mailing list
>>>> euglug at euglug.org
>>>> http://www.euglug.org/mailman/listinfo/euglug
>>>>
>>> _______________________________________________
>>> EUGLUG mailing list
>>> euglug at euglug.org
>>> http://www.euglug.org/mailman/listinfo/euglug
>>>
>> _______________________________________________
>> EUGLUG mailing list
>> euglug at euglug.org
>> http://www.euglug.org/mailman/listinfo/euglug
>>
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug
>

More information about the EUGLUG mailing list