Friday, August 11, 2006

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the globe in less than 24 hours. This scenario is no longer one of fiction.
As discussed in the Security Now podcast this week, there are ways of protecting yourself against Javascript, both on Internet Explorer and Firefox. The extension of choice is NoScript, which tells you when scripts are being used, and allows you to turn them on if absolutely necessary.

No comments: