Hi Georgi,
As you suggested, this is a CSRF attack. Using such techniques to attack or
enumerate local applications has been known for some time and is a very
difficult issue to address. Browsers have done well in preventing malicious
_authenticated_ cross-site requests, but as you've found, attackers can still
use such techniques for enumeration and information gathering.
Fortunately, it's not very practical except in targeted attacks, either against
known victims or known applications that the victim might be running. It takes
several thousand or even millions of requests to enumerate an internal network
in this way, and the user will likely close your tab before you can discover
anything meaningful (the clever ones will use a popunder to increase scan time).
One of the more impactful ways to abuse local applications through CSRF is to
attack the router. Many (most?) users leave router credentials and IP addresses
set to factory defaults. When victims visit the attacker's website, the website
POSTs the default username and password to the router's default IP address
which logs the user into the router. The malicious website then makes a second
POST request setting the router's DNS servers to malicious servers, resulting
in a DNS hijack. Vulnerable routers can be exploited in the same way, sometimes
leading to the attacker taking full control of the router and enlisting it in a
botnet.
Just some things to think about.
Thanks,
Jonathan
-----Original Message-----
From: Fulldisclosure <fulldisclosure-boun...@seclists.org> On Behalf Of Georgi
Guninski
Sent: Wednesday, April 19, 2023 05:50
To: fulldisclosure@seclists.org
Subject: [FD] Checking existence of firewalled URLs via javascript's
script.onload
There is minor information disclosure vulnerability similar
to nmap in browser.
It is possible to check the existence of firewalled URL U via
the following javascript in a browser:
<script src="U"
onload="alert('Exists')"
onerror="alert('Does not exist')">
This might have privacy implication on potentially
"semi-blind CSRF" (XXX does this makes sense?).
Works for me in Firefox, Chrome and Chromium 112.
I believe the issue won't be fixed because it will break
stuff in the mess called internet.
For online test:
https://www.guninski.com/onload2.html
--
guninski: https://j.ludost.net/resumegg.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
