JavaScript Portscanning

Please note that all blog posts before 8 April 2007 were automatically imported from LiveJournal.  To see the comments and any LiveJournal-specific extras such as polls and user icons, please find the source posting at

Interesting.. using JavaScript on an internet website to portscan (and eventually hack) your local area network. There is an overview (with link to article) as well as a very accurate proof of concept.

I see this as eventually being pretty bad. Sure, the proof of concept is pretty tame and forces you to enter a start and end IP address and hit the “scan” button. Malevolent versions of the same could easily scan automatically and interact with the target (possibly changing settings on routers it knows how to talk to–for instance issuing a POST/GET request emulating a form on a particular administrative page, telling it to change the DMZ, read the password, disable encryption, etc.) The whole thing could even be bundled as the payload of other cross-site-scripting attacks.

Unfortunately, the easy fix for this would end up breaking the vast majority of websites out there.

Posted in: Code

Leave a Reply

Your email address will not be published. Required fields are marked *