CDM-CYBER-DEFENSE-eMAGAZINE-March-2019
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Stealing HTML5 web storage data: HTML5 introduced a new feature, web storage. Now a<br />
website can store data in the browser for later use and of course, JavaScript can access that<br />
storage via window.localStorage() and window.webStorage().<br />
Browser & System Fingerprinting: JavaScript makes it a piece of cake to find browser name,<br />
version, installed plugins and their versions, operating system version, architecture, system time,<br />
language and screen resolution.<br />
Network Scanning: - Victim’s browser can be abused to scan ports and hosts with JavaScript.<br />
Crashing Browsers - Adversaries can crash the browser with flooding them with stuff.<br />
Stealing Information - It’s possible to grab information from the webpage and send it to malicious<br />
server.<br />
Redirecting: Adversaries can use JavaScript to redirect users to any webpage.<br />
Tab-napping: Just a fancy version of redirection. For example, if no keyboard or mouse events<br />
have been received for more than a minute, it could mean that the user is afk and adversaries<br />
can sneakily replace the current webpage with a fake one.<br />
Capturing Screenshots - Adversaries can take screenshots of a webpage. Blind XSS detection<br />
tools have been doing this before it was cool.<br />
Considerations<br />
JavaScript is a powerful language and can be used to manipulate user’s behavior when they are<br />
visiting a web page. Many times, it’s considered as an underrated vulnerability but the malicious<br />
horizon is giant — as observed during this article.<br />
Living in this digital era, you always should suspect something strange.<br />
For developers, there are three brilliant kinds of stuff that I love: (i) escaping, (ii) validating input<br />
via a whitelist, and (iii), sanitizing. The use of code-review, automatic static code analysis, and<br />
secure code must be always a mandatory procedure implanted in development teams.<br />
Finally, next time you find an XSS vulnerability, report it. If you are not attended at the first time,<br />
then change the PoC. Try submitting an exploit to steal data or other critical stuff — surely, it will<br />
have another impact.