SPI to Show XSS Attack
SPI discovered a technique to scan a network, fingerprint all the Web-enabled devices found, and send attacks or commands to those devices
July 27, 2006
ATLANTA -- S.P.I. Dynamics, Inc. (http://www.spidynamics.com), the expert in Web application security, today announced the company's renowned R&D team, SPI Labs, has discovered a technique to scan a network, fingerprint all the Web-enabled devices found,and send attacks or commands to those devices.
This technique can scan networks protected behind firewalls such ascorporate networks. All the code to do this is written in JavaScript anduses parts of the standard that are almost ten years old. Accordingly, thecode can execute in nearly any Web browser on nearly any platform when auser opens a Webpage that contains the JavaScript. Since this is notexploiting any browser bug or vulnerability, there is no patch or defensefor the end user other than turning off JavaScript support in the browser.
The code can be part of a Cross-Site Scripting (XSS) attack payload,thereby increasing the potential damage caused by XSS. Thesevulnerabilities are extremely common and large companies like MySpace.comand Yahoo.com have had high-profile XSS attacks that affected millions ofusers in the past year.
"Web application vulnerabilities, particularly cross-site scripting,are most frequently viewed by security professionals as a nuisance.However, SPI Labs has been closely tracking the escalating damage thatthese vulnerabilities can cause as they become mainstream," said BillyHoffman, Lead Research Engineer, SPI Labs. "This potentially devastatingJavaScript attack, along with the growing exploitation of Cross-SiteScripting, demonstrates that these vulnerabilities should no longer be lastin line to be addressed. There is no such thing as a harmless XSSvulnerability."
You May Also Like