What Malicious Things has Javascript Done To You?

views:

411

answers:

+3 Q:

What Malicious Things has Javascript Done To You?

I asked the question: What's with those Do-Not-Use Javascript People and many people said that Javascript allows security exploits through client-side attacks.

So I need to follow up and understand the how bad the nature of these attacks are:

I'd like to hear some detailed descriptions of actual attacks or damage caused to your computer or your network that was directly or indirectly caused or allowed via Javascript.

Specifically, was there any physical damage caused to your computer or network? Did you lose any data? Was any of your software damaged? If any damage happened, how long did it take to fix, and how much did it cost?

Or was the attack stopped before it did any damage and how was it stopped? How long did this take and how much did it cost?

I don't consider popups an attack. They are simply an annoyance that can easily be blocked without disabling Javascript.

Please only detail attacks that you personally have attended to. I trust your wisdom as programmers, but I don't trust third party stories as much, where the cause might have been something else.

+1 A:

Well, any malicious JavaScript is ultimately going to be acting through browser capabilities, so this proof-of-concept demo might fit what you're looking for. It exploits the fact that a page can dynamically create a link to a given URL, then check what color it is to find out if your browser considers that site to be part of your browsing history. All that link does is try to guess your gender, but the same idea could be used for attacks - say, it could test for URLs of major banks, and present you with a phishing attack customized to whatever bank you use.

Of course this may be (ought to be) fixed in future browser releases, but then that's true of most exploits.

fenomas 2008-12-19 14:35:02

BWAHAHAHA "Proof of Concept." "Likelihood of you being FEMALE is 99%. Likelihood of you being MALE is 1%". Either I'm female and I don't know it, or the proof failed miserably.

cLFlaVA 2008-12-19 14:54:00

This is really stretching it. So let's say get the bank I deal with from my browsing history. They need to match this to my email address. Send me the "Phish" via email and hope I give my personal information. Javascript is not the source of the attack. Plus I asked for attacks that affected you.

lkessler 2008-12-19 15:18:32

Apparently I've visited only google.com so I'm undetermined. What sites is actually tested? All the pages on the top 10 list? I don't even recognize most of them.

Stein G. Strindhaug 2008-12-19 15:58:03

Phishing attacks can be carried out through mechanisms other than E-mail. As outlined above, the page that determines whether you've visited the URL of a major bank could present you with a copy of that bank's login page, with a different <form action="..."> to collect your credentials.

Grant Wagner 2008-12-19 16:45:42

lkessler: I know what you asked for, and if you visited the demo site, then you, like me, "have been affected" by a site which has used JS to query your browsing history. No idea what what email has to do with any of it, but the site still accessed your browsing history.

fenomas 2008-12-21 14:43:51

+3 A:

Hmm... Can 0wn you. I mean literally can own the whole computer, install a trojan.

I've seen and done so many XSS attacks successful which caused to steal administration's session and control the whole application. I've seen and done delivering a client side attack such as the link above, which caused installing another application (a RAT) and control the whole box.

After this point as an attacker you can start to attack internal network, such as you can own the router and then control the whole company traffic, you can attack the domain controller, or you can use pass the hash tool or a similar tool to steal local credentials and attack other systems with those credentials. After this point it's all about the security of the other computers (and the local computer if the browser was running as a least privileged used instead of an administrator account)

dr. evil 2008-12-19 14:48:28

Okay then. You were the attacker and not the attackee. Could you please detail one of the attacks and the damage it caused. I want concrete examples please.

lkessler 2008-12-19 15:05:01

First example it was a forum application with permanent XSS in it. Send a private message includes a javascript which send the cookie to my server. I got the login back to the application, and dive into the admin section.

dr. evil 2008-12-19 15:10:01

Take a look at this video : http://www.youtube.com/watch?v=Vg7lhWuPjMY it's demonstration of a real XSS attack.

dr. evil 2008-12-19 15:12:31

@lkessler, I get your point and all of that but I think you should be careful that you portrary yourself as skeptical that Javascript vulnerabilities are real. They very much are. However, does that mean we shouldn't use Javascript in web applications" I don't think so.

BobbyShaftoe 2008-12-19 15:30:55

Here you're talking about an exploit of a flaw in a website because of bad coding in the Forum software that allowed XSS injection. Yes, that can happen. Now I'd like a concrete example, not a demonstration, from someone it happened to.

lkessler 2008-12-19 15:31:42

Download metasploit, run IE 7 exploit locally. visit the page with an IE 7 and get a reverse shell. Then do whatever you want. You can make examples, assume that you put a trojan, it's exactly same with someone runs an application written by you. So possibilities are limitless.

dr. evil 2008-12-19 15:41:06

Yes, possibilities are limitless. So are ways that planes can crash. But planes crash very rarely. Since we hear about every single plane crash, a percentage of people have become paranoid of planes and won't fly. So my real question is asking if the true risk of Javascript justifies turning it off.

lkessler 2008-12-19 21:26:48

Disabling JS totally is not something realistic but using an addon such as NoScript is. This is related with the level of paranoia. Do you need antivirus? even though you don't download dodgy stuff? Do you need personal firewall? Do you need process control tool? Do you need an IDS? ...

dr. evil 2008-12-20 01:32:23

... very same level you need a JS switch button. It's defence in depth, I use it. Lots of other people doing, so yes there is possibility and it's out there. Just like using a personal firewall disabling Javascript makes sense. Otherwise why would I and so many other people disable it?

dr. evil 2008-12-20 01:33:41

A stacksmash can happen in literally millions of points in the code, not just the parts that are disabled by turning of JS. XSS nonsense can be completely avoided by using JS XHR responses to fill in HTML fields. CSRF and some clickjacking are still possible weather JS is on or not. Even with JS off, you can still change the look of the page when JS is off, which is often enough to win.

Longpoke 2010-06-05 22:08:05

@Longpoke Have you ever exploited a buffer overflow without JS? I can't recall any exploit which works without JS. Yes it can crash but you can't exploit, I can't imagine a good way to control stack without executing JS.

dr. evil 2010-06-06 09:05:15

@dr. evil, Have you ever exploited something without typing ./exploit ? yes... you can.

Longpoke 2010-06-06 13:03:50

Send a link please, I'm really curious about your awesome-o exploit code.

dr. evil 2010-06-06 13:30:13

+1 A:

Don't let your end users insert HTML markup that allows either a < script > tag, < style > tag, the style attribute or any on_? event attribute... and watch the content of href and src attributes

E.g. if you have a blog, don't just let them comment with any HTML.

Why?

1.) script tag is obvious, they can do whatever they want

2.) style tag and style attribute isn't so obvious, but in IE, they can use the behavior or expression properties to invoke script content

3.) any onclick, onmouseover, etc. attribute can obviously include script content so avoid it too.

4.) watch href and src attributes, if they contain the "javascript:" protocol, you are exposing script too.

Update: throw in < iframe >, < object > and < embed > as dangerous tags too...

scunliffe 2008-12-19 14:50:48

This is not an example of a specific attack that happened to you. You are simply explaining something that could happen. I want to know about incidents that have happened.

lkessler 2008-12-19 15:03:35

true, understood but this is one of the most common mistakes that devs make exposing themselves to any number of attacks.

scunliffe 2008-12-19 16:00:51

+1 A:

On my site nizzote.com/welcomeSO

I use <textarea> to collect text which i sanitize but someone saved </texarea><script> for (var i = 1; i > 0; i++) {alert("press ok one more time");}

and when the page was loaded again it would get you stuck in an alert box that you would have to close the browser to get out of.

I saw it pretty soon and htmlencoded all inputs to solve the problem. (c# httputility.htmlencode(string) ) no real damage or cost and the fix was quick.

rizzle 2008-12-19 15:32:13

No offense, but "I didn't sanitize my stuff" isn't really a JS vulnerability.

eyelidlessness 2008-12-20 06:02:06

Look at this post here at SO, that uses javascript to trick IE to run something it shouldn't.

some 2008-12-19 15:50:07

The exploit you link to doesn't "trick IE", it uses JavaScript to exploit a vulnerability in mshtml.dll. In that case, the problem isn't JavaScript, it is a bug in the underlying browser code.

Grant Wagner 2008-12-19 16:42:50

Maybe I use the word "trick" the wrong way; English isn't my native language. My point is that javascript made this exploit possible. It's not the language in itself but the possibilities of the programs written in the language, and thats the reason some people disable support for javascipt.

some 2008-12-19 19:15:38

Yeah, I agree criticizing the use of the word "trick" is just pedantic.

BobbyShaftoe 2008-12-19 22:59:58

I looked it up in a Swedish-English dictionary and got: lura : "trick somebody into doing something". So is it wrong to say that somebody has created a javascript to trick IE into running malicious code? (I'm trying to learn)

some 2008-12-21 06:36:34

An injection attack on a vulnerable input script on a client site caused a trojan-loading script body to be appended to each and every text field in their database via an automatic MS SQL script. We ended up using the script to negate itself to clean it up, but quite a few people got some sort of infection through a server in China before the hole could be plugged.

This applies to this in that the injection hole was one created through a javascript reference (an AJAX call) and the deliverable was also caused via the subsequently injected javascript.

Michael Runyon 2008-12-19 16:44:30

I personally haven't had any problems except for a few browser crashes here and there (and that's mostly from poorly-written code). Don't read too much into this, I definitely understand that javascript is a pretty wide attack vector; I'm just saying what is true for probably 80-90% of internet users and not web app developers.

Matt Kantor 2008-12-20 05:07:38

Spoiled me from enjoying statically linked strongly typed languages. And forged an involuntary bond of dependency on some guy named Crockford.

le dorfier 2008-12-20 05:11:31

ansaurus

tags:

views:

answers:

What Malicious Things has Javascript Done To You?

related questions