Over the years, the arrival of strong host-based firewalls, consumer/corporate perimeter firewalls, and browser SOPs (Same-origin Policy) have more or less ensured that external actors cannot gain access to internal networks of organisations using malicious websites or scripts. As a result, many local services are not made to go through regular security audits to test their resilience against external inputs.
According to John Bergbom, senior security researcher at Forcepoint, the tendency of organisations to believe that their internal networks are safe from browser-based threats because of the separation of local networks from the public Internet needs to be reviewed as there are ways an attacker can leverage loopholes in existing security policies to lob a malicious request to an internal network.
The attacker can do this by making educated guesses to exploit the tendency of both consumer and low-end corporate network devices to use default IP addresses such as 192.168.0.0/24, 192.168.1.0/24 and 192.168.8.0/24. At the same time, many low-end DHCP servers assign IP addresses starting from octet .100 by default, making it easy for external actors to find out IP addresses of other internal hosts at addresses 192.168.0.100 to 192.168.0.105.
"Circumventing SOP for reconnaissance purposes, edge case of surfing the intranet, and compromising internal services via CSRF all highlight the fact that the security of internal applications must be taken seriously. Even if you trust your users not to attack you, your own users are not your only concern," he said.
"This is one of the ideal points of the BeyondCorp model of security. Just because you're on a network doesn't mean you should have privileged access. We use fancy 802.1x radius authorisation for our employee network and the most that really gets you is printer access," Aaron Zander, head of IT at HackerOne told SC Media UK.
"Assigning trust based on what network someone happened to be on and not verifying it is asking for long term incursions that will remain unnoticed for days, weeks, months or even years," he added.
"The fundamental vulnerability is a client-side script injection, which is a variant of Cross Site Scripting (XSS) and which has been known about since January 2000. Injection of script into client sites via reflection (a malicious link) or a stored cross-site-scripting attack can be mitigated via output encoding, a solution which has been known about for many years and is recommended by The Open Web Application Project (OWASP).
"Cross Site Scripting was also one of the most prevalent vulnerabilities discovered by Edgescan in 2018, accounting for 14.69 percent of all vulnerabilities discovered. Software developer education is key to prevention. Also enabling built-in security controls in modern software frameworks, many of which have built-in mitigations to such attacks," he added.