Full Disclosure mailing list archives

Re: Checking existence of firewalled URLs via javascript's script.onload

From: Jonathan Gregson via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 21 Apr 2023 21:19:09 +0000

Hi Georgi,

As you suggested, this is a CSRF attack. Using such techniques to attack or enumerate local applications has been known 
for some time and is a very difficult issue to address. Browsers have done well in preventing malicious _authenticated_ 
cross-site requests, but as you've found, attackers can still use such techniques for enumeration and information 
gathering.

Fortunately, it's not very practical except in targeted attacks, either against known victims or known applications 
that the victim might be running. It takes several thousand or even millions of requests to enumerate an internal 
network in this way, and the user will likely close your tab before you can discover anything meaningful (the clever 
ones will use a popunder to increase scan time).

One of the more impactful ways to abuse local applications through CSRF is to attack the router. Many (most?) users 
leave router credentials and IP addresses set to factory defaults. When victims visit the attacker's website, the 
website POSTs the default username and password to the router's default IP address which logs the user into the router. 
The malicious website then makes a second POST request setting the router's DNS servers to malicious servers, resulting 
in a DNS hijack. Vulnerable routers can be exploited in the same way, sometimes leading to the attacker taking full 
control of the router and enlisting it in a botnet.

Just some things to think about.

Thanks,
Jonathan

-----Original Message-----
From: Fulldisclosure <fulldisclosure-bounces () seclists org> On Behalf Of Georgi Guninski
Sent: Wednesday, April 19, 2023 05:50
To: fulldisclosure () seclists org
Subject: [FD] Checking existence of firewalled URLs via javascript's script.onload

There is minor information disclosure vulnerability similar
to nmap in browser.

It is possible to check the existence of firewalled URL U via
the following javascript in a browser:

<script src="U"
    onload="alert('Exists')"
    onerror="alert('Does not exist')">

This might have privacy implication on potentially
"semi-blind CSRF" (XXX does this makes sense?).

Works for me in Firefox, Chrome and Chromium 112.

I believe the issue won't be fixed because it will break
stuff in the mess called internet.

For online test:

https://www.guninski.com/onload2.html

--
guninski:  https://j.ludost.net/resumegg.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

Checking existence of firewalled URLs via javascript's script.onload Georgi Guninski (Apr 21)
- Re: Checking existence of firewalled URLs via javascript's script.onload Jonathan Gregson via Fulldisclosure (Apr 28)