lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <MW4PR22MB34336F7FBD0274BC2618CB37C7609@MW4PR22MB3433.namprd22.prod.outlook.com>
Date: Fri, 21 Apr 2023 21:19:09 +0000
From: Jonathan Gregson via Fulldisclosure <fulldisclosure@...lists.org>
To: Georgi Guninski <gguninski@...il.com>, "fulldisclosure@...lists.org"
 <fulldisclosure@...lists.org>
Subject: Re: [FD] Checking existence of firewalled URLs via
	javascript's	script.onload

Hi Georgi,

As you suggested, this is a CSRF attack. Using such techniques to attack or enumerate local applications has been known for some time and is a very difficult issue to address. Browsers have done well in preventing malicious _authenticated_ cross-site requests, but as you've found, attackers can still use such techniques for enumeration and information gathering.

Fortunately, it's not very practical except in targeted attacks, either against known victims or known applications that the victim might be running. It takes several thousand or even millions of requests to enumerate an internal network in this way, and the user will likely close your tab before you can discover anything meaningful (the clever ones will use a popunder to increase scan time).

One of the more impactful ways to abuse local applications through CSRF is to attack the router. Many (most?) users leave router credentials and IP addresses set to factory defaults. When victims visit the attacker's website, the website POSTs the default username and password to the router's default IP address which logs the user into the router. The malicious website then makes a second POST request setting the router's DNS servers to malicious servers, resulting in a DNS hijack. Vulnerable routers can be exploited in the same way, sometimes leading to the attacker taking full control of the router and enlisting it in a botnet.

Just some things to think about.

Thanks,
Jonathan

-----Original Message-----
From: Fulldisclosure <fulldisclosure-bounces@...lists.org> On Behalf Of Georgi Guninski
Sent: Wednesday, April 19, 2023 05:50
To: fulldisclosure@...lists.org
Subject: [FD] Checking existence of firewalled URLs via javascript's script.onload

There is minor information disclosure vulnerability similar
to nmap in browser.

It is possible to check the existence of firewalled URL U via
the following javascript in a browser:

<script src="U"
    onload="alert('Exists')"
    onerror="alert('Does not exist')">

This might have privacy implication on potentially
"semi-blind CSRF" (XXX does this makes sense?).

Works for me in Firefox, Chrome and Chromium 112.

I believe the issue won't be fixed because it will break
stuff in the mess called internet.

For online test:

https://www.guninski.com/onload2.html

--
guninski:  https://j.ludost.net/resumegg.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ