Intranet Attacks

Overview of the Attack

In intranet attacks, attackers seek to gain access to systems behind firewalls. Traditionally this would be done by directly trying to push through the firewall. In the website security age, however, it is being found that an easier avenue of attack is to leverage systems which communicate through the firewall, and leapfrog the attack from there. There are points of leverage, including public-facing websites and user browsers.

What makes a site vulnerable?

Intranet-only websites (which are often minimally protected from other networked systems) may be vulnerable to intranet attacks via web interfaces if they share a network with a public facing website and that website allows outbound HTTP requests based on user input. The user can exploit this functionality to have the website make HTTP requests to the intranet sites, potentially as part of an attack. Sites may be vulnerable to attack from compromised user browsers (within the network) if they implicitly or explicitly trust users who are behind the firewall.

Impact of the attack

In intranet attacks conducted via web interfaces, the attacker may be able to port-scan, fingerprint and ultimately attack the intranet sites. A successful attack could allow the attacker to install a reverse shell script on the intranet server, which may bypass the firewall (since the connection is outbound) and give the attacker full control over the intranet server. This could then be used as a platform to attack other servers on the network. In browser-based attacks, the site may be fully compromised if it is not adequately secured against users within the network. As a result the attacker may gain full control over the site.

Preventing the attack

To prevent intranet attacks via web interfaces, the website should place controls on any user-specified HTTP requests. In particular, the HTTP requests constructed from user input should not be allowed to refer to the IP range associated with the network. To prevent browser-based attacks, requests originating from within the network should be treated as entirely untrustworthy and fully secured against.