Internal networks are also vulnerable to malicious JavaScript requests

News by Jay Jay

Organisations to believe that their internal networks are safe from browser-based threats because of the separation of local networks from the public Internet - but attackers can leverage network loopholes.

Even if your organisation has deployed a range of host-based firewalls and perimeter firewalls to detect and stop web-based threats, attackers can still target your organisation's internal network using malicious JavaScripts by exploiting a loophole in the Same-origin Policy for web browsers.

Over the years, the arrival of strong host-based firewalls, consumer/corporate perimeter firewalls, and browser SOPs (Same-origin Policy) have more or less ensured that external actors cannot gain access to internal networks of organisations using malicious websites or scripts. As a result, many local services are not made to go through regular security audits to test their resilience against external inputs.

According to John Bergbom, senior security researcher at Forcepoint, the tendency of organisations to believe that their internal networks are safe from browser-based threats because of the separation of local networks from the public Internet needs to be reviewed as there are ways an attacker can leverage loopholes in existing security policies to lob a malicious request to an internal network.

For instance, the Same-origin Policy (that allows embedding of cross-domain resources such as images and JavaScript) allows a browser to send a cross-domain request but prevents JavaScript from reading the response. "For attacking certain vulnerable services, it may be enough to be able to blindly send a malicious request in order to satisfy the goals of the attacker," Bergbom noted.

He added that since the Mozilla SOP allows cross-origin embedding and writing, if an employee is lured to visit a malicious page through phishing tactics, malicious JavaScript on the page will be able to make an XMLHttpRequest to an internal server which any page on the public Internet should not be able to do ideally.

According to Bergdom, by leveraging this loophole in SOPs, attackers can not only send requests to internal servers through browsers, but can also discover internal hosts, do limited port scanning, do service fingerprinting, and may even be able to compromise vulnerable services via a malicious JavaScript.

For instance, when running Chrome on Linux and using the WebRTC API, an attacker can use a JavaScript to find out the internal IP address belonging to an organisation which will then enable the attacker to make much more targeted searches for other hosts nearby.

The attacker can do this by making educated guesses to exploit the tendency of both consumer and low-end corporate network devices to use default IP addresses such as 192.168.0.0/24, 192.168.1.0/24 and 192.168.8.0/24. At the same time, many low-end DHCP servers assign IP addresses starting from octet .100 by default, making it easy for external actors to find out IP addresses of other internal hosts at addresses 192.168.0.100 to 192.168.0.105.

Even if larger organisations are using 172.16.0.0/24 or 10.0.0.0/24 subnets, once an attacker finds out an IP address using a malicious JavaScript, the attacker will be able to find out the correct C-Net and discover other internal hosts in the same corporate environment by looking at nearby octets.

According to Bergdom, there are also certain edge cases where an attacker can use JavaScript to read responses even where full SOP is in force. This will enable the attacker to surf the victim’s internal network from the outside, using the victim’s browser as a proxy. An attacker can do so because SOPs do not prevent reading from pages within the same origin. Therefore, if a page used by an organisation is vulnerable to cross-site scripting, an attacker can configure malicious pages to talk to pages owned by organisations.

"Local attacks via a remote cross-origin JavaScript represent an often neglected attack surface, and corporate users and home users alike are at risk of local attacks. Most home routers have had CSRF vulnerabilities, are rarely up-to-date on patching, and they typically use a known, fixed IP address – properties that make them easy to target.

"Circumventing SOP for reconnaissance purposes, edge case of surfing the intranet, and compromising internal services via CSRF all highlight the fact that the security of internal applications must be taken seriously. Even if you trust your users not to attack you, your own users are not your only concern," he said.

"This is one of the ideal points of the BeyondCorp model of security. Just because you're on a network doesn't mean you should have privileged access. We use fancy 802.1x radius authorisation for our employee network and the most that really gets you is printer access," Aaron Zander, head of IT at HackerOne told SC Media UK.

"Assigning trust based on what network someone happened to be on and not verifying it is asking for long term incursions that will remain unnoticed for days, weeks, months or even years," he added.

Eoin Keary, CEO and co-founder of edgescan, said that Javascript attacks on internal networks are not new and have been about for some years, but possibly not at such an industrial level. References to such attacks (malicious javascript) date back to as early as 2006.

"The fundamental vulnerability is a client-side script injection, which is a variant of Cross Site Scripting (XSS) and which has been known about since January 2000. Injection of script into client sites via reflection (a malicious link) or a stored cross-site-scripting attack can be mitigated via output encoding, a solution which has been known about for many years and is recommended by The Open Web Application Project (OWASP).

"Cross Site Scripting was also one of the most prevalent vulnerabilities discovered by Edgescan in 2018, accounting for 14.69 percent of all vulnerabilities discovered. Software developer education is key to prevention. Also enabling built-in security controls in modern software frameworks, many of which have built-in mitigations to such attacks," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event