Obtaining LAN IP from JavaScript for CSRF

[Craig Young <vuln-report () secur3 us>]

I recently came across an interesting PoC on GitHub for utilizing STUN to
determine a local LAN IP via JavaScript. This was surprising to me since I
thought you generally shouldn't be able to identify the LAN IP in
JavaScript so I have started using this in CSRF exploit demonstrations.

A brief explanation including a link back to the original work is on the
Tripwire State of Security blog here:
http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/smart-cross-site-request-forgery-csrf/

An interesting note to this is that even though the code references a
Mozilla STUN server on the internet, I was able to use this PoC in Chrome
on a LAN without any gateway to the Internet.  The exploit page was
accessed via HTTP (from a local VM) so this is not some special case for
the file:// scheme.  I tested this on a Windows and OS X Chrome release.
I'd be interested to hear any thoughts on why it works without a route to a
real STUN server.

Thanks,
Craig Young
Security Researcher, Tripwire VERT
@CraigTweets

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/