SlideShare is now on Android. 15 million presentations at your fingertips.  Get the app

×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Hacking Intranet Websites from the Outside

by Chief Technology Officer at WhiteHat Security on Jul 29, 2012

  • 1,285 views

Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"...

Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"

Imagine you’re visiting a popular website and invisible JavaScript exploit code steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005’s "Phishing with Superbait" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites.

Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.

Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript malware that automatically reconfigures your company’s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it’s critical that understand what it is and how to defend against it.

During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats.

You’ll see:

Port scanning and attacking intranet devices using JavaScript
Blind web server fingerprinting using unique URLs
Discovery NAT'ed IP addresses with Java Applets
Stealing web browser history with Cascading Style Sheets
Best-practice defense measures for securing websites
Essential habits for safe web surfing

Statistics

Views

Total Views
1,285
Views on SlideShare
1,268
Embed Views
17

Actions

Likes
1
Downloads
26
Comments
0

2 Embeds 17

https://twitter.com 14
https://si0.twimg.com 3

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
Post Comment
Edit your comment

Hacking Intranet Websites from the Outside Hacking Intranet Websites from the Outside Presentation Transcript