Paid Advertising
web application security lab

Portscanning Without JavaScript

Jeremiah and I both began thinking of JavaScript port scanning nearly a year ago. For a while we were saying annoying things like “Well if you want to be safe you had better start surfing without JavaScript turned on.” Don’t you hate it when you’re wrong? Jeremiah began talking with me about a way that he could do port scanning without the use of JavaScript several months ago. It wasn’t even theoretical at the time, but it was quite a bit of work to construct.

Given that some of the buzz has died down about using HTML pages to build websites Jeremiah felt it was time to release his idea to the world. I think this is the answer to when people say things like they surf without JavaScript turned on. I guess we have pretty much completely broken the same domain policies of yesterday. If I can scan your Intranet application from an HTML page without JavaScript or Java or any DHTML content whatsoever I think it’s time to start revisiting the entire DOM security model. That might just be my opinion but come on. What else do we have to do to prove it’s not working?

I’m working on another project to XSS somewhere around 60% of all web based applications, not that I have to since the mhtml vulnerability is still on the loose. But I really think that the whole concept of browser same origin policy security is a theory at this point, and a theory that isn’t proving to be very successful as it turns out. Anyway, read Jeremiah’s post. He’s put enough thought into it to have a working prototype, but I’m sure someone else is going to want to take this to the next level. If anyone does please let me know. I’ll be interested to see the working example.

3 Responses to “Portscanning Without JavaScript”

  1. Kyran Says:

    Very interesting stuff. Perhaps a series of small pages. Each having a few iframes to do scanning. So it only takes a few seconds per page, them redirect to the next one. Each page could load a different colored “Loading…” gif so the user will think something Web 2.0ish and magical is happening.

  2. ntp Says:

    surfing without javascript or images turned on is basically like not using a web browser. sure, it will make you more secure - but you’ll also lose the ability to ever learn anything, have any fun, or contact any people. and as you and jeremiah have alluded to - there is no universal “off” button for javascript or flash - and there’s usually a way around it anyways.

    i think almost anybody can run xss assistant and check which sites allow for javascript injection (and to what degree or persistence) and which ones don’t. if you find a vuln - maybe you could work with the web administrators to remediate security-related bugs, or you could NoScript that site if you really want to continue using it (although I just usually move on to a better, similar, more-secure site since I don’t use NoScript).

    turning off Java, Flash (FlashBlock), external site cookies (WDT), and send referer header (PrefBar) all seem to help a little while browsing…
    note: these settings could be DEFAULT in Firefox and probably should be

    as for the “web adminstrator” problem as you all most classically describe the inability to ever get in touch with an administration about their lack of attention to basic security details… might i suggest using

    both web administrators and hackers could get together on gabbly to exchange GPG keys or hushmail accounts. using whois (or RWhois or IRR) information is so 1997. Using whois also certainly doesn’t work when people are using DomainsByProxy or WhoisGuard… or have wrong information. whois in general is a huge mess… how do you think IP/ASN hijacking works? see your blog posting on email threats two threads back for more details. maybe the whole internet actually is borken and doomed…

  3. Ilia Alshanetsky Says:

    There is a working proof of concept available here. For my network it was able to scan the entire 192.168.1.X range in about 2-3 minutes with a single “link” in Firefox.