A malicious technique for scanning a network, fingerprinting all Web-enabled devices found, and sending attacks or commands to those devices has been uncovered by SPI Labs.
This technique can scan networks protected behind firewalls such as corporate networks. All the code to do this is written in JavaScript and uses parts of the standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for end users, other than turning off JavaScript support in the browser.
The code can be part of a Cross-Site Scripting (XSS) attack payload, thereby increasing the potential damage caused by XSS. These vulnerabilities are extremely common and large companies like MySpace.com and Yahoo.com have had high-profile XSS attacks that affected millions of users in the past year.
Read More from Dr. Dobb’s Journal
For more information, see
this detailed briefing on this exploit. A proof-of-concept demonstration is also available.
