Researchers are warning about a hacking technique that enables attacks on the local network using JavaScript on a public website. Using the victim's browser as a proxy, the code can reach internal hosts and do reconnaissance activity or even compromise vulnerable services.
The method is not fully obstructed by the same-origin policy (SOP), the web app security model that restricts interaction between pages of different origin, and it can bypass firewalls because the browser can access the localhost and the local network.
Security researchers at Forcepoint, a company where one of the partners is the U.S. defense contractor Raytheon, admit that the technique is not new and that the security community is aware of it. However, scant resources on the topic and the underrated attack surface make it worthy of attention.
