[Eug-lug] How secure is Javascript?

M. Bitner moexu13 at gmail.com
Thu Jul 10 13:20:06 PDT 2008 

He called it a port scanner and said that's what he could do with it
so I assumed that's what it was.

On Thu, Jul 10, 2008 at 12:54 PM, Ben Barrett <stircrazyben at gmail.com> wrote:
> And it is actually useful, too, in certain applications.  Like seeing
> if a host is alive!!
> Note:  this is not quite port scanning.  Every tool is a weapon if you
> hold it such-and-such-ways... some tools are more dangerous than
> others, as are some users....
>
> ~ben
>
>
> On Thu, Jul 10, 2008 at 10:38 AM, M. Bitner <moexu13 at gmail.com> wrote:
>> I heard back from my colleague - this is what he wrote:
>>
>> I didn't write the original version; I found the base code at SPI
>> Dynamics and modified it from there.
>>
>> Attached is the proof of concept code I was working with.  Currently it
>> just scans the ip range given, determines if the host is active, if
>> there is a webserver, and attempts to identify if the webserver is IIS
>> or Apache.
>>
>> This works cross browser as long as javascript is allowed.
>>
>> Something like this could be included into almost any page, it could
>> figure out the host IP address automatically, scan that netblock, post
>> the data back to a host, get further instructions based on what
>> ports/services are available, etc, all via Ajax actions or a hidden
>> Iframe, or probably other ways too.
>>
>> Basically, this could provide a way for an attacker to gain access to
>> information/services that are *inside* the firewall by simply getting
>> you to load a web page.
>>
>> Pretty cool stuff!  :)
>>
>> Let me know if you need any more information...
>>
>> On Thu, Jul 10, 2008 at 9:30 AM, Ben Barrett <stircrazyben at gmail.com> wrote:
>>> Did anyone search for this, or are they too paranoid?  :)
>>> There are a number of results, appears to not be unique at all...
>>> http://www.google.com/search?q=javascript+%22port+scan
>>>
>>> One method uses <script src="...."> and typeof on the result to get a signature;
>>> another uses only HTML, using the link tag to attempt to load what the
>>> browser thinks is a CSS,
>>> and then call upon an IMG which is really a timer script.
>>>
>>> JS:  http://www.gnucitizen.org/projects/javascript-port-scanner/
>>> and http://michaeldaw.org/projects/jsescanner/
>>>
>>>
>>> ~ben
>>>
>>>
>>> On Thu, Jul 10, 2008 at 9:05 AM, M. Bitner <moexu13 at gmail.com> wrote:
>>>> It might have been IE only, I'm not sure. I don't work in the same
>>>> place but I can try and find out some more details from my former
>>>> colleague.
>>>>
>>>> On Wed, Jul 9, 2008 at 10:47 PM, Neil Parker <nparker at lyl.llx.com> wrote:
>>>>> Another thing worth remembering is that just as Javascript itself differs
>>>>> quit a bit from browser to browser, so do its security issues.  A
>>>>> feature (?) that makes it possible to write a port scanner in one
>>>>> browser might not exist at all in another browser.
>>>>>
>>>>> Traditionally Internet Explorer has been considered the worst offender
>>>>> security-wise.  In part this is because it lets you say "x = new
>>>>> ActiveXObject(...)", which sometimes makes it possible for Javascript to
>>>>> invoke components that were never intended to be used by a web browser.
>>>>> (Remember last year's Month of Browser Bugs?  Most of the IE bugs on that
>>>>> list revolved around ActiveXObject.)
>>>>>
>>>>> ActiveXObject, and its security implications, are completely absent in
>>>>> Firefox.  Not that Firefox has been free of Javascript security holes,
>>>>> though...as it evolved from 2.0 to 2.0.0.15, many of the updates
>>>>> included patches for Javascript security holes.  Several of these involved
>>>>> ways for Javascipt to elevate its permissions from content (highly
>>>>> restricted) to chrome (unrestricted, with full access to your filesystem
>>>>> and the network).
>>>>>
>>>>>
>>>>> I'd be highly interested to learn how that port scanner worked.  Did it
>>>>> depend on one particular browser?
>>>>>
>>>>>               - Neil Parker
>>>>> _______________________________________________
>>>>> EUGLUG mailing list
>>>>> euglug at euglug.org
>>>>> http://www.euglug.org/mailman/listinfo/euglug
>>>>>
>>>> _______________________________________________
>>>> EUGLUG mailing list
>>>> euglug at euglug.org
>>>> http://www.euglug.org/mailman/listinfo/euglug
>>>>
>>> _______________________________________________
>>> EUGLUG mailing list
>>> euglug at euglug.org
>>> http://www.euglug.org/mailman/listinfo/euglug
>>>
>> _______________________________________________
>> EUGLUG mailing list
>> euglug at euglug.org
>> http://www.euglug.org/mailman/listinfo/euglug
>>
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug
>

More information about the EUGLUG mailing list