| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Apr 2023 21:19:09 +0000
From: Jonathan Gregson via Fulldisclosure <fulldisclosure@...lists.org>
To: Georgi Guninski <gguninski@...il.com>, "fulldisclosure@...lists.org"
<fulldisclosure@...lists.org>
Subject: Re: [FD] Checking existence of firewalled URLs via
javascript's script.onload
Hi Georgi,
As you suggested, this is a CSRF attack. Using such techniques to attack or enumerate local applications has been known for some time and is a very difficult issue to address. Browsers have done well in preventing malicious _authenticated_ cross-site requests, but as you've found, attackers can still use such techniques for enumeration and information gathering.
Fortunately, it's not very practical except in targeted attacks, either against known victims or known applications that the victim might be running. It takes several thousand or even millions of requests to enumerate an internal network in this way, and the user will likely close your tab before you can discover anything meaningful (the clever ones will use a popunder to increase scan time).
One of the more impactful ways to abuse local applications through CSRF is to attack the router. Many (most?) users leave router credentials and IP addresses set to factory defaults. When victims visit the attacker's website, the website POSTs the default username and password to the router's default IP address which logs the user into the router. The malicious website then makes a second POST request setting the router's DNS servers to malicious servers, resulting in a DNS hijack. Vulnerable routers can be exploited in the same way, sometimes leading to the attacker taking full control of the router and enlisting it in a botnet.
Just some things to think about.
Thanks,
Jonathan
-----Original Message-----
From: Fulldisclosure <fulldisclosure-bounces@...lists.org> On Behalf Of Georgi Guninski
Sent: Wednesday, April 19, 2023 05:50
To: fulldisclosure@...lists.org
Subject: [FD] Checking existence of firewalled URLs via javascript's script.onload
There is minor information disclosure vulnerability similar
to nmap in browser.
It is possible to check the existence of firewalled URL U via
the following javascript in a browser:
<script src="U"
onload="alert('Exists')"
onerror="alert('Does not exist')">
This might have privacy implication on potentially
"semi-blind CSRF" (XXX does this makes sense?).
Works for me in Firefox, Chrome and Chromium 112.
I believe the issue won't be fixed because it will break
stuff in the mess called internet.
For online test:
https://www.guninski.com/onload2.html
--
guninski: https://j.ludost.net/resumegg.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists