JavaScript security leaks?

When browsing a website with JavaScript enabled in the
browser (Firefox, Opera), what information about my
system can be returned to the website by JavaScript?

I've seen the scam sites which display the contents of the
current directory and purport that they are being returned
to the website. But I've been told they are just displayed
locally and aren't really returned to the website.

However this site _looks_ legitimate:
http://www.auditmypc.com

When the "What's my IP" menu item is selected it displays
the internal network IP of my PC, which is behind a router.
(It isn't displayed if I disable JavaScript in the browser.)

If the internal IP is in fact actually returned to the
website, what other information might JavaScript reveal?

(I'm running PCs under Red Hat 9, Fedora Core 2, and
Windows XP in a network behind a Linksys WRT54G router.
Firewalls are configured for the router and on each
individual PC.)

Regards,
Charles Sullivan

On Fri, 25 Feb 2005 17:55:41 GMT, Charles Sullivan wrote:
> When browsing a website with JavaScript enabled in the
> browser (Firefox, Opera), what information about my
> system can be returned to the website by JavaScript?

look for yourself
http://gemal.dk/browserspy/

Charles Sullivan wrote:

> When browsing a website with JavaScript enabled in the
> browser (Firefox, Opera), what information about my
> system can be returned to the website by JavaScript?
>
> I've seen the scam sites which display the contents of the
> current directory and purport that they are being returned
> to the website. But I've been told they are just displayed
> locally and aren't really returned to the website.
>
> However this site _looks_ legitimate:
> http://www.auditmypc.com
>
> When the "What's my IP" menu item is selected it displays
> the internal network IP of my PC, which is behind a router.
> (It isn't displayed if I disable JavaScript in the browser.)

(I'll presume you mean that it's behind a NAT device... a regular router
won't do anything to hide your IP.)

They use JavaScript to display it, but it's not returned to their site.
It's possible that a couple of pages could work together to do that,
though, by inserting the IP into a string, then placing that in a hidden
field in a form, and getting you to submit the form.

Still, though, what are they going to do with the information? Most likely
if you're using NAT, your internal IP is going to be a non-routable
address... so they'll have to find some other way onto your network to do
anything about it.

If you really want to know what JavaScript can find out, I'd suggest finding
a good reference on it. There are some "system variables" that it can get,
but not a lot.

--
ZZzz |\ _,,,---,,_ Travis S. Casey <efindel@earthlink.net>
/,`.-'`' -. ;-;;,_ No one agrees with me. Not even me.
|,4- ) )-,_..;\ ( `'-'
'---''(_/--' `-'\_)

On Fri, 25 Feb 2005 12:46:34 -0600, Bit Twister
<BitTwister@mouse-potato.com> wrote:

>http://gemal.dk/browserspy/

I think this one is better
http://www.leader.ru/secure/who.html

That site used to show the content of the C drive on my Windows 2000
server but I don't see that link any more.

Scary as hell.

buck

On Fri, 25 Feb 2005 20:03:12 -0800, buck wrote:

> On Fri, 25 Feb 2005 12:46:34 -0600, Bit Twister
> <BitTwister@mouse-potato.com> wrote:
>
>>http://gemal.dk/browserspy/
>
> I think this one is better
> http://www.leader.ru/secure/who.html
>
> That site used to show the content of the C drive on my Windows 2000
> server but I don't see that link any more.

There may or may not have been a JavaScript vulnerability in
Windows at one time which allowed sending back that information
to the visited website.

However a trick used by some scam sites to promote their "security"
software is to display the contents of your directory on your
monitor and imply that THEY are seeing the same information, which
isn't true.

Regards,
Charles Sullivan

buck wrote:

> On Fri, 25 Feb 2005 12:46:34 -0600, Bit Twister
> <BitTwister@mouse-potato.com> wrote:
>
>>http://gemal.dk/browserspy/
>
> I think this one is better
> http://www.leader.ru/secure/who.html
>
> That site used to show the content of the C drive on my Windows 2000
> server but I don't see that link any more.
>
> Scary as hell.
>
> buck


ONLY if you are using IE...

On Sat, 26 Feb 2005 21:05:07 -0800, Michael J. Pelletier wrote:

> buck wrote:
>
>> On Fri, 25 Feb 2005 12:46:34 -0600, Bit Twister
>> <BitTwister@mouse-potato.com> wrote:
>>
>>>http://gemal.dk/browserspy/

>> Scary as hell.
>
> ONLY if you are using IE...

NO, only if you are using JavaScript. It's the same with ALL
browsers. Read the fine print on browserspy, it shows which
browsers share each of the "features" tested for.

For once, Micro$oft isn't the main problem. It's JavaScript,
and the many stupid features added by browsers (not just MSIE).

Yes, I have had the same experience (internal IP address revealed past
NAT router) using Firefox. When Java is disabled (not Javascript, but
Java, for at least the particular site I was using), the IP address was
no longer visible.

Still, given that your address on a local network is selected from a
very small range of addresses that are re-used on every local network
(e.g., 192.168.0.100, and so on), it is hard to see what value this
information would have for an attacker. The reason that we use NAT
routers is so that scanners will not get a response when they scan for
open ports and come across the IP address by which we are known on the
Internet. This address is significant because if a response is given,
then a hacker knows that a responsive machine is at that address and
can return to it at a later date to try to exploit that responsiveness.
Given that broadband connections allow people to remain online at the
same IP address for many days at a time, that knowledge is significant.

But once your machine is behind a NAT router on a local network, its IP
address is only relevant within that network. So, it is hard to see
how it could be used by an attacker. You could pretty much guess at
anyone's internal IP address and be right a significant fraction of the
time.

So, if I visit a particular Web site and they trap my internal IP
address, what are they going to do with it? They already know my
router's address, and they know that a real computer is behind it,
because I am accessing their site using that address. So, they can now
attempt to exploit vulnerabilities in my browser, or Java, or whateer,
which they could have done anyway.

Am I missing something, or is it reasonable to think that an exposed
internal IP address is not much of a threat?

Carl

Julia Thorne wrote:
> On Sat, 26 Feb 2005 21:05:07 -0800, Michael J. Pelletier wrote:
>
> > buck wrote:
> >
> >> On Fri, 25 Feb 2005 12:46:34 -0600, Bit Twister
> >> <BitTwister@mouse-potato.com> wrote:
> >>
> >>>http://gemal.dk/browserspy/
>
> >> Scary as hell.
> >
> > ONLY if you are using IE...
>
> NO, only if you are using JavaScript. It's the same with ALL
> browsers. Read the fine print on browserspy, it shows which
> browsers share each of the "features" tested for.
>
> For once, Micro$oft isn't the main problem. It's JavaScript,
> and the many stupid features added by browsers (not just MSIE).