Full Disclosure mailing list archives
Obtaining LAN IP from JavaScript for CSRF
From: Craig Young <vuln-report () secur3 us>
Date: Tue, 22 Sep 2015 17:51:14 -0400
I recently came across an interesting PoC on GitHub for utilizing STUN to determine a local LAN IP via JavaScript. This was surprising to me since I thought you generally shouldn't be able to identify the LAN IP in JavaScript so I have started using this in CSRF exploit demonstrations. A brief explanation including a link back to the original work is on the Tripwire State of Security blog here: http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/smart-cross-site-request-forgery-csrf/ An interesting note to this is that even though the code references a Mozilla STUN server on the internet, I was able to use this PoC in Chrome on a LAN without any gateway to the Internet. The exploit page was accessed via HTTP (from a local VM) so this is not some special case for the file:// scheme. I tested this on a Windows and OS X Chrome release. I'd be interested to hear any thoughts on why it works without a route to a real STUN server. Thanks, Craig Young Security Researcher, Tripwire VERT @CraigTweets _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Obtaining LAN IP from JavaScript for CSRF Craig Young (Sep 22)