[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Checking existence of firewalled web servers in Firefox via iframe.onload
From: Georgi Guninski <gguninski () gmail ! com>
Date: 2023-04-18 13:03:04
Message-ID: CAGUWgD8ops7DqKPrsy02TA4od8xWb5EesBwXr3GoVk=YcM8r-Q () mail ! gmail ! com
[Download RAW message or body]
In short in Firefox 112, it is possible to check existence
of firewalled web servers. This doesn't work in Chrome and Chromium 112
for me.
If user A has tcp connection to web server B, then in the
following html:
<iframe src="http://B" onload="load()" onerror="alert('error')" id="i1" />
the javascript function load() will get executed if B serves
valid document to A's browser and will not be executed otherwise.
This work for both http and https, and for http it is allowed
B to be IP address. Under some configurations of Apache2,
it serves http despite having https configured.
In some sense, this is close to nmap via javascript in a browser.
Potential privacy implication is when the attacker guess the
range of firewalled IPs and check them all in a loop.
For online test:
https://j.ludost.net/onload1.html
--
guninski: https://j.ludost.net/resumegg.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic