JavaScript Authorization Forcer

Tue, 15 Aug 2006 21:32:48 GMT
by pdp

This is an idea I am still developing. The malicious JavaScript presented here tries to guess URLs that contain credentials. It is sort of Basic Authentication/FTP Authentication bruteforcer.

The source code can be downloaded from here.

[/files/2006/08/authorizationforcer.js](/files/2006/08/authorizationforcer.js)

The POC works well in IE6, IE7, Firefox and Opera. I wasn't able to suppress the Basic Authentication dialog when trying to create a real Basic Authentication Bruteforcer. However, I came up with this lazyForce implementation. A typical attack vector will work like this:

  1. The attacker discovers your internal IP.
  2. Based on your IP, a class C range is enumerated using the Port Scanning or Visited Link Scanning techniques.
  3. Once a target is discovered, a large enough dictionary is used to find valid credentials associated with each IP.

My advice to you is to never, never, never, ever use credentials in URLs. I know it is easier to type ftp://user:[email protected] but this also puts your privacy at a huge risk.