CSS LAN scanner
Friday, 24 August 2007
I think the single most insecure feature of internet browsers today is iframes, you can do too much with them and I feel I’ve only touched the surface with the examples I’ve shown. My next tool shows how simple it is to scan your entire local network from the internet using iframes, CSS and absolutely no javascript!
Update…
Geez I’ve never had so many 403 errors in my apache logs, you don’t need folder contents people! Look the code is in CSS, so you don’t need any other code, got it? Well stop trying to grab the contents of a directory that is in plain sight. Some people!
Whitepaper released
I don’t normally agree with releasing whitepapers on subjects because I believe you don’t need an essay to explain this stuff, all you need is to look at the code but I’d thought I would make the exception so here is a whitepaper about this subject:-
Run for the hills the internet is falling apart!
Here’s some more CSS scanners that I’ve been told about:-
RSnake’s CSS scanner
PDP’s noscript scanner
Jeremiah Grossman’s CSS History hack
No. 1 — August 24th, 2007 at 9:42 am
Scary (and refreshing) Stuff Gareth. π
Two questions though:
1. My n/w lies neither in 10.x.x.x nor 192.x.x.x, yet the scanner is able to identify a number of devices. How’s that? :-/
2. How are you identifying the device type?
No. 2 — August 24th, 2007 at 10:03 am
1. I’ve tested it in Firefox so it might not work in other browsers. If you’ve visited 10.x.x.x or 192.x.x.x or changed addresses it will display them. This could also be used to display which addresses you have been to, a full CSS history hack without javascript similar to Jeremiah Grossman
2. The device type is based on the default out of the box IP address which a device automatically gets assigned.
Scary stuff indeed
No. 3 — August 24th, 2007 at 10:05 am
Even more is possible with CSS and I’m going to update my CSS attacks page with new attacks soon.
No. 4 — August 24th, 2007 at 10:52 am
How could this be useful to Dr Evil ?
I am able to scan MY network. Ok. So what ? How could this info be transmitted back ? Without JavaScript, I can’t think of any way. Am I wrong ?
No. 5 — August 24th, 2007 at 10:55 am
Well a lot more is possible than you think. Stay tuned for my next example….CSS scripting!
No. 6 — August 24th, 2007 at 11:46 am
OK no javascript just CSS! It will scan your IP and store it in a session as proof that it is possible. Tested only on Firefox, I told you the internet was falling apart π
No. 7 — August 24th, 2007 at 11:49 am
This also proves that any web site you visit can be tracked purely with CSS. I’d do a demo but I don’t think it is necessary really, I think I’ve already proven my point.
No. 8 — August 24th, 2007 at 6:20 pm
Might want to add HTTPS links to that CSS. For instance, my router is at 192.168.1.1, but I’ve turned off HTTP access to the dd-wrt control panel, so it doesn’t show up.
No. 9 — August 24th, 2007 at 6:30 pm
Good point David thanks! I’m planning to add router DNS name’s if I can find a list to successfully identify routers. Good thinking btw with your router.
No. 10 — August 27th, 2007 at 12:42 pm
Uh is there something up with the whitepaper? I tried that URL and it came back blank, reloaded a few times same thing. View page source comes back with just a few lines, nothing between the body tags.
No. 11 — August 27th, 2007 at 1:46 pm
Sorry Thorin just my sense of humor. I don’t believe in them.
No. 12 — August 27th, 2007 at 11:13 pm
haha a real whitepaper! I still wait for black paper.
Oh no! Gareth what have you done!? I’m afraid surfing the interwebs… 4 real π
No. 13 — August 28th, 2007 at 7:25 am
hehe π I don’t like being serious all the time
Yep there’s not much you can do, who’s gonna turn off CSS lol.
No. 14 — August 28th, 2007 at 8:34 am
hehe π
We are getting there… Soon I have another post which probably will shock some. π not all, some. π
No. 15 — August 28th, 2007 at 8:39 am
Yep I know what you mean *some* will know what you can do with it and *some* will not π
No. 16 — August 28th, 2007 at 1:28 pm
Let’s call the web deceased shall we?, or at least websecurity is a myth. π
No. 17 — August 28th, 2007 at 2:00 pm
Yep in the last few years the browser manufacturers have been very lazy regarding new security policies.
I’m just looking at the Firefox CSS features now and I can see huge scope for security problems, when I release the CSK (CSS Scripting Kit) you’ll see some of the issues.
Web security is certainly a myth, time they got their act together!
No. 18 — August 28th, 2007 at 2:05 pm
This is only based on the browsers history. What if one cleans the history every minute?
Is every browser vulnerable?
BTW, this attack is not limited to HTTP requests. Any request to a URL supported by a browser can be logged. Say, FTP (ftp://), or port numbers (http://localhost:8080/) can be logged without notice.
Awesome if you want to exploit it, a nightmare if you want to prevent it.
– Unomi –
No. 19 — August 28th, 2007 at 2:16 pm
Cleaning your history will do no good for CSS LAN scanning because the script actually creates the history on page load, therefore the only protection is to disable visited in CSS.
Yes any url that can be opened by iframes is available to be exploited.
No. 20 — August 28th, 2007 at 2:22 pm
I realise that this does leave Firefox and probably other browsers open to attack but I’m sick and tired of communicating with manufacturers who seem to think they know better than me and dismiss my reports.
I’ve also had enough with the biased media coverage of security blogs to the point now were I don’t even care. It is laughable that this article will never get coverage so I’m leaving up to the manufacturers to monitor my web site because why should I go to all the effort for nothing?
No. 21 — August 31st, 2007 at 8:10 am
One more comment/question….
CSS allows to overrule previous set definitions. Isn’t it possible to overrule any ‘visited’ property with a default value? This way the url shouldn’t be requested.
Or am I wrong?
– Unomi –
No. 22 — August 31st, 2007 at 8:18 am
Hi Unomi
If you mean as a protection against LAN scanning then I don’t think it would be make any difference unfortunately because if you reset all visited states, the scanner then creates a new set of history so therefore overwriting the rule.
The only way I could think to protect against this sort of attack would be to use something like stylish to disable the visited state altogether so the site in question cannot access the visited selector.
No. 23 — September 6th, 2007 at 10:23 am
Some of you may have experienced some problems storing the IP address on Firefox. I have found the problem happens when the user agent hasn’t been set for the browser.
This is because the security filters on my site, so the scanner will work in Firefox on all platforms.
No. 24 — September 14th, 2008 at 5:42 am
i have something to ask:
what if the 2 IP NOS IS SAME on the e mail , does it mean the same person using the same acc ?