I’ve been thinking a lot about my last post, and there are so many different paths to take this, it’s difficult to choose what to write about, but this is one thing that popped in my head this morning. One major issue with the naming convention of intranet applications is that they aren’t named only http://intranet/ they are also named http://intranet.company.name/ which is both good and bad. It’s good from a usability perspective and bad from a web application security perspective. If you know how the intranet is named, and you want to attack a particular user from a company, despite IP anonymization I can find out who the user is.
Let’s say I run a hacking site that is of particular interest to a bigsearchengine.com and I want to target an attack only to a particular users at bigsearchengine.com but that company uses things like redirectors and anonymizers to hide who they are. No problem. All I need to do is detect where they’ve been. So here is where I as a bad guy whip out Jeremiah’s CSS trick. But instead of point it to http://www.somerandomcompany.com/ I point it to http://intranet.bigsearchengine.com/ (hopefully you know the exact name of the intranet, so you can target better, but you get the point).
Now, regardless of anonymous proxies or hiding referring URLs or any other tricks, I now know exactly who the user is. They may or may not be allowed to connect back into their network if they are anonymizing their traffic, but I’m willing to bet most people are anonymizing at the network level, not at the client, meaning they can still access internal servers. This is the flag to allow me to start launching my highly targeted attack with my mapping (as you’ve seen below) of the company of choice.
Now you’re saying, “But what if they clear their history?” Well, it’s easy enough to force their browser to the intranet site too. If they can successfully connect to the intranet site in question they now have it in their history, and boom, you’re detection is on again. .htaccess basic auth dialogues throw a wrench into the mix, but I’m not sure how many intranet sites are protected in that way. Anyway, sucks to be bigsearchengine.com right about now, doesn’t it?