Skip to main content
SpringerLink
Log in

Protecting the Intranet Against “JavaScript Malware” and Related Attacks

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4579))

Abstract

The networking functionality of JavaScript is restricted by the Same Origin Policy (SOP). However, as the SOP applies on a document level, JavaScript still possesses certain functionality for cross domain communication. These capabilities can be employed by malicious JavaScript to gain access to intranet resources from the outside. In this paper we exemplify capabilities of such scripts. To protect intranet hosts against JavaScript based threats, we then propose three countermeasures: Element Level SOP, rerouting of cross-site requests, and restricting the local network. These approaches are discussed concerning their respective protection potential and disadvantages. Based on this analysis, the most promising approach, restricting the local network, is evaluated practically.

This work was supported by the German Ministry of Economics (BMWi) as part of the project “secologic”, www.secologic.org.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alcorn, W.: Inter-protocol communication. Whitepaper (11/13/06) (August 2006), http://www.ngssoftware.com/research/papers/InterProtocolCommunication.pdf

  2. Burns, J.: Cross site reference forgery - an introduction to a common web application weakness. Whitepaper (2005), https://www.isecpartners.com/documents/XSRF_Paper.pdf

  3. Endler, D.: The evolution of cross-site scripting attacks. Whitepaper, iDefense Inc. (May 2002), http://www.cgisecurity.com/lib/XSS.pdf

  4. Glass, E.: The ntlm authentication protocol. (03/13/06) (2003) [online] http://davenport.sourceforge.net/ntlm.html

  5. Grossman, J.: Browser port scanning without javascript. (08/01/07) (November 2006), Website http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanningwithout.html

  6. Grossman, J.: Javascript malware, port scanning, and beyond. Posting to the websecurity mailing list (July 2006), http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00097.html

  7. Grossman, J., Niedzialkowski, T.C: Hacking intranet websites from the outside. Talk at Black Hat USA 2006 (August 2006), http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf

  8. Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 85–94 (June 2005)

    Google Scholar 

  9. Le Hegaret, P., Whitmer, R., Wood, L.: Document object model (dom). W3C recommendation (January 2005), http://www.w3.org/DOM/

  10. InformAction. Noscript firefox extension. Software (2006), http://www.noscript.net/whats

  11. Ismail, O., Eto, M., Kadobayashi, Y., Yamaguchi, S.: A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In: 8th International Conference on Advanced Information Networking and Applications (AINA 2004) (March 2004)

    Google Scholar 

  12. Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: Proceedings of the 15th ACM World Wide Web Conference (WWW 2006) (2006)

    Google Scholar 

  13. Johns, M. (somewhat) breaking the same-origin policy by undermining dns-pinning. Posting to the Bug Traq Mailinglist (August 2006) http://www.securityfocus.com/archive/107/443429/30/180/threaded

  14. Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding. In: Piessens,F. (ed.) Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pp. 5 – 17. Departement Computerwetenschappen, Katholieke Universiteit Leuven (May 2006)

    Google Scholar 

  15. Kanatoko. Stealing information using anti-dns pinning (30/01/07) (2006) Online demonstration. webpage, http://www.jumperz.net/index.php?i=2&a=1&b=7

  16. Kanatoko. Anti-dns pinning + socket in flash (19/01/07) (January 2007), Website http://www.jumperz.net/index.php?i=2&a=3&b=3

  17. Kindermann, L.: My address java applet (11/08/06) (2003), Webpage http://reglos.de/myaddress/MyAddress.html

  18. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross site scripting attacks, security. In: Security Track of the 21st ACM Symposium on Applied Computing (SAC 2006) (April 2006)

    Google Scholar 

  19. SPI Labs. Detecting, analyzing, and exploiting intranet applications using javascript. Whitepaper (July 2006) http://www.spidynamics.com/assets/documents/JSportscan.pdf

  20. Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: Misusing web browsers as a distributed attack infrastructure. In: ACM Conference on Computer and Communications Security (CCS 2006), pp. 221–234 (2006)

    Google Scholar 

  21. Petkov, P.: Javascript port scanner (11/08/06) (August 2006), Website http://www.gnucitizen.org/projects/javascript-port-scanner/

  22. XUL Planet. nsicontentpolicy. API Reference (11/02/07) (2006), webpage http://www.xulplanet.com/references/xpcomref/ifaces/nsIContentPolicy.html

  23. Mozilla Project. Mozilla port blocking (11/13/06) (2001), Webpage http://www.mozilla.org/projects/netlib/PortBanning.html

  24. Ruderman, J.: The same origin policy (01/10/06) (August 2001), Webpage http://www.mozilla.org/projects/security/components/same-origin.html

  25. Samy: Technical explanation of the myspace worm (01/10/06) (October 2005), website http://namb.la/popular/tech.html

  26. Schreiber, T.: Session riding - a widespread vulnerability in today’s web applications. Whitepaper, SecureNet GmbH (December 2004), http://www.securenet.de/papers/Session_Riding.pdf

  27. Princeton University Secure Internet Programming Group. Dns attack scenario (February 1996), Webpage http://www.cs.princeton.edu/sip/news/dns-scenario.html

  28. Soref, J.: Dns: Spoofing and pinning (14/11/06) (September 2003), Webpage http://viper.haque.net/~timeless/blog/11/

  29. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vig, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)

    Google Scholar 

  30. Winter, J., Johns, M.: Localrodeo: Client side protection against javascript malware (01/02/07) (January 2007), webpage http://databasement.net/labs/localrodeo

Download references

Author information

Authors and Affiliations

  1. Security in Distributed Systems (SVS), University of Hamburg, Dept of Informatics, Vogt-Koelln-Str. 30, D-22527 Hamburg,  

    Martin Johns & Justus Winter

Authors
  1. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Justus Winter
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Bernhard M. Hämmerli Robin Sommer

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Johns, M., Winter, J. (2007). Protecting the Intranet Against “JavaScript Malware” and Related Attacks. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-73614-1_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-73613-4

  • Online ISBN: 978-3-540-73614-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation