lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACGny3hxP_V3F8M5H92eVa2pQXYDTJJCbCkqhzB5Z2DViYD9xA@mail.gmail.com> Date: Tue, 22 Sep 2015 17:51:14 -0400 From: Craig Young <vuln-report@...ur3.us> To: Full Disclosure <fulldisclosure@...lists.org> Subject: [FD] Obtaining LAN IP from JavaScript for CSRF I recently came across an interesting PoC on GitHub for utilizing STUN to determine a local LAN IP via JavaScript. This was surprising to me since I thought you generally shouldn't be able to identify the LAN IP in JavaScript so I have started using this in CSRF exploit demonstrations. A brief explanation including a link back to the original work is on the Tripwire State of Security blog here: http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/smart-cross-site-request-forgery-csrf/ An interesting note to this is that even though the code references a Mozilla STUN server on the internet, I was able to use this PoC in Chrome on a LAN without any gateway to the Internet. The exploit page was accessed via HTTP (from a local VM) so this is not some special case for the file:// scheme. I tested this on a Windows and OS X Chrome release. I'd be interested to hear any thoughts on why it works without a route to a real STUN server. Thanks, Craig Young Security Researcher, Tripwire VERT @CraigTweets _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists