There's a chilling mode of attack quietly emerging that forces an unsuspecting browser into hacking into the user's own corporate intranet. From there, the attacker can scan the network, reconfigure network devices such as routers and firewalls, or even break into corporate payroll systems.
This type of exploit lets the attacker use the browser to reach other internal and external Web servers, too. "All data that bad guys want is on a Website somewhere," Grossman says. "So they take control of your browser and make your browser download illegal content. Every log would say you or your browser had done it. That's a scary [prospect] for a corporation."
If a user happens to be logged onto the targeted Website, the attacker gains even more power, Grossman says. "For example, if the user is logged into their Web bank, the attacker can do anything the user could, such as transferring money."
Grossman says WhiteHat Security, which provides vulnerability assessment services on an outsourcing basis, has found XSS in over 1,500 custom Web apps, and that eight out of 10 Websites are infected with XSS. "Unfortunately, there is no way to patch a client to protect against it. The vulnerability is on the Website itself" within the site's custom Web applications, he says. "We need sites to start fixing these vulnerabilities."
Interestingly, Grossman says the hardest part was making the attacks visible for Black Hat attendees to see it. "Doing a hack is a lot easier than an on-stage demo," he says. "It's harder to make it visible so the audience can understand it."
- Kelly Jackson Higgins, Senior Editor, Dark Reading