[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Checking existence of firewalled web servers in Firefox via iframe.onload
From: Stefano Di Paola <stefano.dipaola () wisec ! it>
Date: 2023-04-20 13:05:55
Message-ID: 12d8c448b765754601b3af0ea7242a01655eb232.camel () wisec ! it
[Download RAW message or body]
Absolutely agreed!
What I actually see now as the most effective mitigation is the Chrome
decision to implement preflight on private network access:
https://developer.chrome.com/blog/private-network-access-preflight/
I hope to see that implemented by Firefox and other browsers as well.
As a side note, 3 years ago I released a proof of concept browser
extension that alerts the user when a website tries to perform port
scans or DNS Rebinding attacks.
https://github.com/mindedsecurity/behave
https://blog.mindedsecurity.com/2020/06/behave-monitoring-browser-extension-for.html
About the rediscovering I know it happens and I've no problem about it,
but I wish researchers to spend some time checking for previous work
and give credits ;).
Cheers,
Stefano
On Thu, 2023-04-20 at 13:15 +0200, Jan Klopper wrote:
> Hi
>
> The topic is still relevant.
>
> Combining this attack with webservices that might be present behind
> a
> NAT network, eg IOT or appliances can result in various serious
> issues.
>
> There are loads of devices that do not require csrf, or even POST
> for
> requests that update settings or even firmware.
>
> Performing GET requests on those internal ip's, even though no
> content
> will be returned is still plenty dangerous.
> Knowing which ip to perform these attacks on, can be found by looking
> at
> the timing of various ready/error calls.
>
> However, it begs the question, is it the browser that is in the
> wrong
> here, or those appliances/devices. And, should the browser be
> guarding
> users against flaws in those appliances? And where then does the
> scope
> of the browsers security features stop?
>
> I'm also expecting heaps of these issues to re-discovered when
> looking
> at the whole websockets domain.
>
> With regards
> Jan Klopper
>
>
> On 20-04-2023 12:57, Stefano Di Paola wrote:
> > Hello George,
> >
> > from time to time it happens to rediscover techniques issues.
> > This is one of those times :)
> >
> > In 2006 there has been a lot of interest around browser based port
> > scans, in particular to pivot internal networks.
> >
> > The following links are some of them:
> >
> >
http://web.archive.org/web/20060813034434/http://www.spidynamics.com/assets/documents/JSportscan.pdf
> >
> > https://www.gnucitizen.org/blog/javascript-port-scanner/
> >
> >
https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf
> >
> >
> >
https://www.blackhat.com/presentations/bh-usa-07/Grossman/Whitepaper/bh-usa-07-grossman-WP.pdf
> >
> > Some of those thecniques have been mitigated, and some it's still
> > there.
> >
> > There are surely other resources IIRC, although some of them might
> > have
> > been deleted, such as the ones on sla.cke.rs which is a real pity..
> >
> > Cheers!
> > Stefano
> >
> > Ps. this email applies to the other Script technique thread/email
> > as
> > well.
> >
> > On Tue, 2023-04-18 at 15:59 +0300, Georgi Guninski wrote:
> > > In short in Firefox 112, it is possible to check existence
> > > of firewalled web servers. This doesn't work in Chrome and
> > > Chromium
> > > 112
> > > for me.
> > >
> > > If user A has tcp connection to web server B, then in the
> > > following html:
> > >
> > > <iframe src="http://B" onload="load()" onerror="alert('error')"
> > > id="i1" />
> > >
> > > the javascript function load() will get executed if B serves
> > > valid document to A's browser and will not be executed otherwise.
> > >
> > > This work for both http and https, and for http it is allowed
> > > B to be IP address. Under some configurations of Apache2,
> > > it serves http despite having https configured.
> > >
> > > In some sense, this is close to nmap via javascript in a browser.
> > >
> > > Potential privacy implication is when the attacker guess the
> > > range of firewalled IPs and check them all in a loop.
> > >
> > > For online test:
> > > https://j.ludost.net/onload1.html
> > >
--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer
Owasp Italy R&D Director
Web: www.wisec.it
Twitter: http://twitter.com/WisecWisec
..................
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic