'Re: [oss-security] Checking existence of firewalled web servers in Firefox via iframe.onload'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Checking existence of firewalled web servers in Firefox via iframe.onload
From:       Stefano Di Paola <stefano.dipaola () wisec ! it>
Date:       2023-04-20 13:05:55
Message-ID: 12d8c448b765754601b3af0ea7242a01655eb232.camel () wisec ! it
[Download RAW message or body]

Absolutely agreed!

What I actually see now as the most effective mitigation is the Chrome
decision to implement preflight on private network access:

https://developer.chrome.com/blog/private-network-access-preflight/

I hope to see that implemented by Firefox and other browsers as well.

As a side note, 3 years ago I released a proof of concept browser
extension that alerts the user when a website tries to perform port
scans or DNS Rebinding attacks.
https://github.com/mindedsecurity/behave


https://blog.mindedsecurity.com/2020/06/behave-monitoring-browser-extension-for.html

About the rediscovering I know it happens and I've no problem about it,
but I wish researchers to spend some time checking for previous work
and give credits ;).

Cheers,
Stefano

On Thu, 2023-04-20 at 13:15 +0200, Jan Klopper wrote:
> Hi
> 
> The topic is still relevant.
> 
> Combining this attack with webservices that might be present behind
> a 
> NAT network, eg IOT or appliances can result in various serious
> issues.
> 
> There are loads of devices that do not require csrf, or even POST
> for 
> requests that update settings or even firmware.
> 
> Performing GET requests on those internal ip's, even though no
> content 
> will be returned is still plenty dangerous.
> Knowing which ip to perform these attacks on, can be found by looking
> at 
> the timing of various ready/error calls.
> 
> However, it begs the question, is it the browser that is in the
> wrong 
> here, or those appliances/devices. And, should the browser be
> guarding 
> users against flaws in those appliances? And where then does the
> scope 
> of the browsers security features stop?
> 
> I'm also expecting heaps of these issues to re-discovered when
> looking 
> at the whole websockets domain.
> 
> With regards
> Jan Klopper
> 
> 
> On 20-04-2023 12:57, Stefano Di Paola wrote:
> > Hello George,
> > 
> > from time to time it happens to rediscover techniques issues.
> > This is one of those times :)
> > 
> > In 2006 there has been a lot of interest around browser based port
> > scans, in particular to pivot internal networks.
> > 
> > The following links are some of them:
> > 
> > 
http://web.archive.org/web/20060813034434/http://www.spidynamics.com/assets/documents/JSportscan.pdf
> > 
> > https://www.gnucitizen.org/blog/javascript-port-scanner/
> > 
> > 
https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf
> > 
> > 
> > 
https://www.blackhat.com/presentations/bh-usa-07/Grossman/Whitepaper/bh-usa-07-grossman-WP.pdf
> > 
> > Some of those thecniques have been mitigated, and some it's still
> > there.
> > 
> > There are surely other resources IIRC, although some of them might
> > have
> > been deleted, such as the ones on sla.cke.rs which is a real pity..
> > 
> > Cheers!
> > Stefano
> > 
> > Ps. this email applies to the other Script technique thread/email
> > as
> > well.
> > 
> > On Tue, 2023-04-18 at 15:59 +0300, Georgi Guninski wrote:
> > > In short in Firefox 112, it is possible to check existence
> > > of firewalled web servers. This doesn't work in Chrome and
> > > Chromium
> > > 112
> > > for me.
> > > 
> > > If user A has tcp connection to web server B, then in the
> > > following html:
> > > 
> > > <iframe src="http://B" onload="load()" onerror="alert('error')"
> > > id="i1" />
> > > 
> > > the javascript function load() will get executed if B serves
> > > valid document to A's browser and will not be executed otherwise.
> > > 
> > > This work for both http and https, and for http it is allowed
> > > B to be IP address. Under some configurations of Apache2,
> > > it serves http despite having https configured.
> > > 
> > > In some sense, this is close to nmap via javascript in a browser.
> > > 
> > > Potential privacy implication is when the attacker guess the
> > > range of firewalled IPs and check them all in a loop.
> > > 
> > > For online test:
> > > https://j.ludost.net/onload1.html
> > > 
-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
..................

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic