​

THE NEXT TIME YOU VISIT a Web site on which users contribute much of the content—say, social networking sites like Myspace or photo-sharing sites like Flickr—be aware that some of the content other users are contributing may be malicious.

This malicious content uses simple JavaScript code that can be placed on a Web site. These attacks are particularly dangerous because they take advantage of the way the code is meant to work.

JavaScript is a programming language used on Web sites for simple functions such as opening a pop-up window or causing a button to change when the cursor moves across it. It can be embedded in a Web page’s HTML code, and, like HTML, JavaScript runs in the Web browser, not on the server, so it doesn’t need to exploit a computer vulnerability or an unpatched browser.

Billy Hoffman, lead research engineer at SPI Labs, says that SPI has created a proof-of-concept JavaScript scanning tool that determines the IP address of the computer it’s on and then scans to see what other devices—Web servers, wireless routers, and so on—are on that network. Another part of the JavaScript code then looks at images it finds on those devices; since many Web servers contain images of a standard size and name, locating images of specified sizes and names allows the server to be fingerprinted. All of this information can be sent back to a third party again simply by using JavaScript functionality that reaches out to other Web sites for images.

Hoffman says that mapping and fingerprinting a network from the inside provides an attacker with a cache of information that is typically hard to get. “Normally an attacker needs to do a lot of work to get that type of information,” he says. “He needs to hack around your firewall, or park in front of your headquarters and try to find an open access point that’s not secured.”

When an internal user behind a firewall unwittingly executes the malicious JavaScript, all this information can be gathered quickly.

Mikko Hyponnen, director of antivirus research at F-Secure, says that his team audited two well-known social networking sites with millions of registered users (not including Myspace) and quickly found that both sites were vulnerable to these kinds of attacks.

Hyponnen says that this attack scenario is “perfectly preventable” when Web sites carefully validate content being input by users and weed out code that doesn’t belong. “The bottom line is, whatever the situation is, you don’t want to have pages where users can post their own JavaScript, which would then be executed by other users. That’s a major no-no, that’s something that’s behind most of these attacks, and Web sites don’t need that functionality.”