oss-sec mailing list archives
Checking existence of firewalled web servers in Firefox via iframe.onload
From: Georgi Guninski <gguninski () gmail com>
Date: Tue, 18 Apr 2023 15:59:17 +0300
In short in Firefox 112, it is possible to check existence of firewalled web servers. This doesn't work in Chrome and Chromium 112 for me. If user A has tcp connection to web server B, then in the following html: <iframe src="http://B" onload="load()" onerror="alert('error')" id="i1" /> the javascript function load() will get executed if B serves valid document to A's browser and will not be executed otherwise. This work for both http and https, and for http it is allowed B to be IP address. Under some configurations of Apache2, it serves http despite having https configured. In some sense, this is close to nmap via javascript in a browser. Potential privacy implication is when the attacker guess the range of firewalled IPs and check them all in a loop. For online test: https://j.ludost.net/onload1.html -- guninski: https://j.ludost.net/resumegg.pdf
Current thread:
- Checking existence of firewalled web servers in Firefox via iframe.onload Georgi Guninski (Apr 18)
- Re: Checking existence of firewalled web servers in Firefox via iframe.onload Jan Fader (Apr 18)
- Re: Checking existence of firewalled web servers in Firefox via iframe.onload Stefano Di Paola (Apr 20)
- Re: Checking existence of firewalled web servers in Firefox via iframe.onload Jan Klopper (Apr 20)
- Re: Checking existence of firewalled web servers in Firefox via iframe.onload Stefano Di Paola (Apr 20)
- Re: Checking existence of firewalled web servers in Firefox via iframe.onload Jan Klopper (Apr 20)