Okay back to earth again. What if I’m a malicious user and I want access to examplecompany.com. All I need to do is find some XSS in a website that gets a fair amount of traffic and simply wait until I see someone coming from the IP range of examplecompany.com. Once I get that user to visit my site, I can begin my probing of their network, to disclose simple information about what machines are where. I can find if they have PHP installed, I can see which version of what stupid CMS system they are using. Chaining multiple XSS vectors together I can start reading information off of those machines, and eventually probably find some remote shell compromise to open a port to the world. You name it, unless the company blocks all internet access to all employees, you can gain access.
This is probably my last post for a few days, I’m off to DefCon today. I may or may not post while I’m there, I haven’t decided yet. But stay out of trouble while I’m gone. No parties until I get back!