Full Disclosure mailing list archives

By Date By Thread Obtaining LAN IP from JavaScript for CSRF From: Craig Young <vuln-report () secur3 us>

Date: Tue, 22 Sep 2015 17:51:14 -0400

I recently came across an interesting PoC on GitHub for utilizing STUN to determine a local LAN IP via JavaScript. This was surprising to me since I thought you generally shouldn't be able to identify the LAN IP in JavaScript so I have started using this in CSRF exploit demonstrations. A brief explanation including a link back to the original work is on the Tripwire State of Security blog here: http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/smart-cross-site-request-forgery-csrf/ An interesting note to this is that even though the code references a Mozilla STUN server on the internet, I was able to use this PoC in Chrome on a LAN without any gateway to the Internet. The exploit page was accessed via HTTP (from a local VM) so this is not some special case for the file:// scheme. I tested this on a Windows and OS X Chrome release. I'd be interested to hear any thoughts on why it works without a route to a real STUN server. Thanks, Craig Young Security Researcher, Tripwire VERT @CraigTweets _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Obtaining LAN IP from JavaScript for CSRF Craig Young (Sep 22)