oss-sec mailing list archives
Re: Checking existence of firewalled URLs via javascript's script.onload
From: Peter Philip Pettersson <philip.pettersson () gmail com>
Date: Wed, 19 Apr 2023 07:53:14 -0700
Hi George, There are many ways to make arbitrary HTTP requests through a browser, with and without Javascript. Here's a good writeup from 2018 from the makers of Burp Suite: https://portswigger.net/research/exposing-intranets-with-reliable-browser-based-port-scanning I wouldn't consider this a vulnerability in the browser. Btw, I remember your exploits from the early 2000s - good stuff :) Regards, Philip On Wed, Apr 19, 2023 at 6:31 AM Georgi Guninski <gguninski () gmail com> wrote:
There is minor information disclosure vulnerability similar
to nmap in browser.
It is possible to check the existence of firewalled URL U via
the following javascript in a browser:
<script src="U"
onload="alert('Exists')"
onerror="alert('Does not exist')">
This might have privacy implication on potentially
"semi-blind CSRF" (XXX does this makes sense?).
Works for me in Firefox, Chrome and Chromium 112.
I believe the issue won't be fixed because it will break
stuff in the mess called internet.
For online test:
https://www.guninski.com/onload2.html
--
guninski: https://j.ludost.net/resumegg.pdf
Current thread:
- Checking existence of firewalled URLs via javascript's script.onload Georgi Guninski (Apr 19)
- Re: Checking existence of firewalled URLs via javascript's script.onload Peter Philip Pettersson (Apr 19)
- Re: Checking existence of firewalled URLs via javascript's script.onload Georgi Guninski (Apr 20)
- Re: Checking existence of firewalled URLs via javascript's script.onload Jeremy Stanley (Apr 20)
- Re: Checking existence of firewalled URLs via javascript's script.onload Georgi Guninski (Apr 20)
- Re: Checking existence of firewalled URLs via javascript's script.onload Peter Philip Pettersson (Apr 19)