BLACK HAT - Security issues lurk behind corporate intranets

Experts claim that many companies are unknowingly leaving the door open for outsiders to infiltrate and attack their corporate intranets using new hacking techniques such as

Companies looking to improve their overall security posture may want to look for vulnerabilities in a place where they never might have expected to be attacked -- their corporate intranets.

According to two leading security researchers presenting at the ongoing Black Hat 2007 security conference in Las Vegas on Wednesday, many companies are unintentionally leaving the door to their IT operations unlocked by failing to adequately protect their internal Web sites.

Based on advancements in security research that will allow hackers to use Web browsers and the flaws the programs carry to infiltrate and attack intranets with greater ease, including the use of newer hacking techniques such as CSRF (cross-site request forgery), businesses should begin actively reviewing and re-architecting the internal URLs to prevent major issues down the line, said researchers Jeremiah Grossman and Robert "RSnake" Hansen.

"This is a problem that is essentially as widespread as anything out there. Over the next eighteen months I believe that we'll see black hats catching up with the research community and beginning to adopt these tactics," said Grossman, who is the founder and CTO of vulnerability testing firm WhiteHat Security. "Basically with these types of attacks it's as if firewalls don't even exist."

Companies typically don't consider the fact that hackers could find a way to get into their intranets, the Web application testing expert said, but savvy attackers can find links to the sites by carrying out emerging attacks such as CRSF threats, which allow them to break into seemingly secure Internet sessions to secretly lift password and browser history data.

Hackers typically attempt to fool end-users into loading a Web page that contains a malicious request in common CSRF threats, much like traditional phishing attacks or cross-site scripting (XSS) techniques.

The attackers then try to misappropriate victims' identities and privileges to carry out activities such as changing their applications passwords to gain entrance to intranets or banking sites, or to log into e-commerce sites to make fraudulent purchases in their names. In some cases, the attacks are hidden on the vulnerable sites themselves.

Grossman said that CRSF threats and XSS attacks are most commonly being used together to swipe money from online bank accounts today. But based on his observations of corporate intranets, he maintains that the technique could spell trouble for internal company URLs in the near future.

Utilizing the approach, hackers can essentially access prior Web browser sessions and remain logged in to any sites that have been accessed by an end-user to carry out illicit activities, including sites that offer access to sensitive information or company data.

Another easy way to break into intranets is to use cross-site scripting attacks that mirror traffic from trusted Web sites, such as online banking applications, that won't likely get blocked from company networks, according to the experts.

In developing their intranets, it seems, many firms don't apply the same level of security testing that they use for their publicly available URLs, the researchers said.

"Companies think that only certain IP addresses may be able to access their sites. Bbut using these techniques the browser can go anywhere, which throws the defense of filtering IP addresses out the window," said Hansen, who operates the security consulting firm SecTheory. "Hackers can use the browser as a proxy to get access to intranet applications -- vulnerabilities in VPN systems for remote workers offer another attractive point-of-entry."

The experts said that to protect themselves, companies should begin defending their internal Web sites in the same manner they safeguard their external sites. Public-facing Web sites shouldn't be allowed to access the intranets on any level, which is another common means for hackers to find their way into the systems, they said.

"There will be tools made available that allow black hats to carry out this sort of threat easily within the next two years, which should inspire a lot more people to try them out," Grossman said.

"These types of browser vulnerabilities have always been there, and these attacks were always feasible. It's just that no one really knew about it; what the bad guys are doing with them today compared to several years from now is just the tip of the iceberg," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?