< April 2007 >
SuMoTuWeThFrSa
1 2 3 4 5 6 7
8 91011121314
15161718192021
22232425262728
2930     
Mon, 30 Apr 2007:

I've sort of been toying around with AttackAPI over the weekend and interestingly, I figured out that I was vulnerable to a lot of the attack vectors that were present. But what javascript causes, javascript can fix too. So here's a quick fix to prevent an intruder from portscanning your local network for ftp or other ports.

FindProxyForURL: The proxy autoconfig file can be used to filter out requests to the naughty port scanners. The aim is to detect a bad URL, redirect it to a proxy which will log the referrer and raise the corresponding alarms. And to parse out the URL properly, I use the following regex.

var urlRegex = new RegExp(
    "^(([^:/?#]+):)?"+ // scheme
    "(" +
        "(//)?"+ // delim
        "(([^@]+)@)?" + // userinfo
        "([^/?#:]*)?" + // host
        "(:([^/?#]+))?"+ // port
    ")"+
    "([^?#]*)"+  // path
    "(\\?([^#]*))?"+ // query
    "(#(.*))?$" // fragment
    );

After parsing out the URL, my very simple filter checks for a port value which is suspicious (i.e below 1024 and not 80) and redirects it to my local logging proxy which eats the request. I still haven't figured out a way of leaving a honeypot for attackers to ensure there's a human at the other end.

function FindProxyForURL(url, host)
{
  var m = url.match(urlRegex);
  if(m) 
  {
  	var port = m[7];
	if(port != "" && port != "80" && port.length < 4)
	  return "PROXY 127.0.0.1:4242";
  }
  else
  {
  	return "PROXY 127.0.0.1:4242";
  }

  return "DIRECT";
}

It should be perfectly possible for this technique to be extended to prevent XSS exploits with javascript land checking for common XSS attack vectors. But the essential problem is that this particular function cannot maintain context easily. The previous request cannot affect the current one, nor the current one affect the next request. Having minimal ability to learn does cause a large number of problems for a really practical solution - but if there is already such a hook, it might be possible to hook an extension into it.

--
Too many people are thinking of security instead of opportunity.
                            -- James F. Byrnes

posted at: 01:23 | path: /insecurity | permalink | Tags: , ,