[Sussex] JavaScript is no longer secure: TURN IT OFF NOW!

Al Bennett al at plasticfish.co.uk
Sun Aug 13 22:28:23 UTC 2006


Hello from Edinburgh!  (Hoots mon, see you Jimmy, you'll have had your tea 
etc)

> This is a proof of concept.  It isn't trying to be malicious.

Is it just me, or does this proof of concept not prove very much?

After a quick breeze through the code I can see this... all it seems to show 
is that JavaScript has the power to create an iframe tag using the result of 
the concatenation of "http://" and an IP address.  Then if it finds that 
returns a page it tries to grab a specific image from the found webserver to 
determine what server is running.

So, basically it's using the techniques that allow us to create clever AJAX 
type web applications that create requests and pull data but using words 
like "fingerprinting" and "probe" to make it sound suitably terrifiying.  I 
can't see any evidence that it's "probing" any ports other than 80 (I _don't 
think_ you can create anything other than an HTTP request using AJAX so it's 
limited to probing HTTP based services whatever port it chooses (although an 
sshd responds with a version string to an HTTP req)).

If your router/firewall can be flattened by a specially crafted HTTP request 
without a password then you need a better router/firewall, not less 
JavaScript!

Or am I missing something?

Al 





More information about the Sussex mailing list