XSSing the Lan
Since there is a growing interest in XSS (Cross-site Scripting) attacks, I will try to put in theory how border routers/gateways can be trivially compromised over the web. For the purpose of this, three prerequisites need to be met: a page that is controlled by the attacker, lets call it
evil.com; router vulnerable to XSS; user attending
Once the user visits
evil.com that carries the attack. The
src (source) attribute contains a URL which exploits the XSS flow in the router. Since the code is executed on the router domain, cross domain restrictions are applied. This means that the the rest of the attack can be constructed out of
XMLHttpRequest objects which provide greater control on the input and the output of each request.
In the final stage, the code transported by the router XSS flow performs a login and retrieves any sensitive information which after that is submitted to a remote collection point which is controlled by the attacker. Furthermore, in corporate environments the attacker may wish to put down the security level of the exploited device so she can go back to it whenever she want.
It is quite simple and it is less complicated than it sounds.