Ruby on Rails, Io, Lisp, JavaScript, Dynamic Languages, Prototype-based programming and more...

Technoblog reader special: $10 off web hosting by FatCow!

Thursday, June 08, 2006

A JavaScript Based Firewall-Immobilizing Port Scanner

I finally found a totally unacceptable cross-domain Ajax security issue.

After the hotly debated Debunking Strong Misconceptions About Cross-Domain Ajax Security Issues, most current known security issues concerning cross-domain Ajax were explored and found wanting. All but one edge case of cross-domain Ajax that affects corporations with corporate secrets on intranets. I stand by most of my arguments and believe that many web developers still greatly mis-understand the fundamental principals behind Ajax.

However, I was wrong. Very very wrong. There is something you can do with cross-domain Ajax that is deeply and fundamentally insecure. Something nobody could argue against. I was chatting with my friend Dave Fayram (whom I have started doing a podcast with) when we came across a security issue that would affect every single person who has a cross-domain Ajax enabled browser, not just the corporate intranets.

If you are on a Mac, download safariexploit.html as a file onto your hard drive. Now open it up with Safari and prepared to be scared.

Using the fact that the file:/// protocol in Safari allows you to do cross-domain Ajax as much as you like, you can experiment with the potential security concerns of cross-domain Ajax. I was able to build was a JavaScript based Firewall-Immobilizing Port Scanner in 50 lines of JavaScript. Luckily Safari does not allow cross-domain Ajax from the http:// protocol so this is not something that can be taken advantage of throughout the internet (there is no need to switch away from Safari because of this).

What the port scanner is able to do is explore not only your localhost, but your surrounding network. It can look at the and ranges (as well as any other you specify). It can look at any port you want on any computer you want as long as the local machine can access it. It can even report what version SSH server and web server you are running on all of those computers. It works all in the background without your knowledge while simply viewing a page. At the end of the port scan it posts this data in a public forum that anyone can access.

Nobody can argue that this isn't a Very Bad Thing. Without a white-listing crossdomain.xml file that explicitly lists other sites that are allowed to do cross-domain Ajax communication (an idea that I whole-heartedly believe would change the landscape of the web for the better without the aforementioned otherwise insurmountable security problems), cross-domain Ajax is clearly and fundamentally a very big risk that should remain unimplemented like it stands today.

Many of you might laugh at this conclusion since I was so brazen in my previous post, but if someone would have given me an example half as clear as the one provided here as to why cross-domain Ajax brings up serious security concerns, I would have never had to write that post. The post was intended to straighten out false claims and try to beat out any true claims. As shown by this revelation, I succeeded. The truth remains that many people are and will remain to be confused as to why cross-domain Ajax is a bad idea. They don't understand that the grand majority of the concerns they might have already exist today in many alternative forms. Even those who understood the real security concerns introduced by cross-domain Ajax were not able to give me a clear and penetrating example.

I am currently developing some very interesting applications using a hack that imitates cross-domain Ajax (without any of the security concerns mentioned here). This is why I wanted to explore in detail the security issues surrounding the technology. Google was unable to shed much light because people were not having enlightening conversations, so I am very thankful to all of you who commented on the previous post. I am glad there is now a permanently recorded insightful conversation for a relatively misunderstood topic.

If anyone from IE, Firefox, or Apple is listening, please please please integrate the use of crossdomain.xml policy file and allow us developers some secure cross-domain freedom. The web is missing out on a lot of innovative applications and too many people are creating ugly hacks to get around it.

You should follow me on twitter here.

Technoblog reader special: click here to get $10 off web hosting by FatCow!


Anonymous Anonymous said...

"If you are on a Mac, download safariexploit.html as a file onto your hard drive. Now open it up with Safari and prepared to be scared."

It would be nice if you included a link to the file :-)

11:40 PM, September 18, 2006

Blogger Web app security info said...

You mean the file you open is stored on the disk? Or is it served from a http link?

4:35 AM, September 27, 2006

Anonymous Small Business Web Hosting said...

Ajax has an unprecedented number of major security flaws. Which is why I wonder why google is pusing it soo hard.

6:28 AM, October 01, 2006

Anonymous Ivan said...

having the local network scanned that way sounds scary, but again, how much exactly can outside attacker do knowing eg. that my machine has old insecure ssh server? If router is configured properly, not much..

There's a number of security issues with cross-domain ajax, but IMHO most of them are related to exploiting poorly written server-side solutions. And you can't blame a technology for people being stupid..

5:11 AM, October 02, 2006

Blogger rickdog said...

What I'd like to see is a service that allows bloggers to grab XML as a javascript string (JSON) and inject that into a script element. The client app can then load it into a DOMDocument. Then client-based apps can have some cross-domain RPC capabilities.

The service would be very simple, like:


and return an escaped string:

xmlString="<?xml version="1.0" encoding="UTF-8"?><rdf:RDF ...></rdf:RDF>";

Then I can do something like this:
<script id="myXML" src="http://convertXML2String.com?url=http://del.icio.us/rss/rickdog">
var parser = new DOMParser(); // gecko only
var doc = parser.parseFromString(xmlString, "text/xml");

12:00 AM, October 03, 2006

Anonymous Anonymous said...

Did you mean you loaded the file from your local disk? You should feel lucky that it didn't wipe out your hard drive. Didn't safari give you a warning or something?

1:12 PM, October 10, 2006

Anonymous Anonymous said...

goto http://www.gmail.com for free mail

6:03 PM, July 21, 2007

Anonymous Anonymous said...

toms outlet
michael kors online
ralph lauren uk
coach factory outlet
tory burch outlet
replica watches
toms shoes
fitflops sale
coach outlet
michael kors factory outlet
oakley sunglasses wholesale
longchamp handbags
air max 90
michael kors handbags wholesale
louis vuitton sunglasses
michael kors outlet online
louis vuitton bags
oakley sunglasses
ray ban sunglasses
fitflops clearance
chaussure louboutin
swarovski crystal
michael kors outlet store
michael kors outlet sale
chrome hearts outlet
louboutin pas cher
coach outlet online
louis vuitton outlet
louis vuitton neverfull sale
ralph lauren outlet
rolex watches
swarovski outlet
nike huarache
oakley sunglasses
ralph lauren outlet

6:22 PM, May 30, 2016

Blogger Hua Cai said...

fitflops sale
ugg outlet
mulberry handbags sale
true religion outlet
michael kors outlet clearance
true religion jeans
new balance outlet
michael kors outlet clearance
ferragamo outlet
christian louboutin shoes
links of london
michael kors wholesale
tory burch outlet online
prada sneakers
true religion outlet
swarovski outlet
jordan pas cher
nike air force 1
calvin klein underwear
louis vuitton pas cher
true religion jeans
ferragamo outlet
ferragamo shoes sale
louis vuitton outlet store
tiffany and co
coach outlet store
gucci outlet
louis vuitton outlet
oakley sunglasses uk
true religion jeans
michael kors outlet online
mulberry outlet
nike free 5
celine outlet online
louis vuitton bags

10:43 PM, August 03, 2016

Blogger Fangyaya said...

cleveland cavaliers jerseys
canada goose
rolex watches outlet
nike factory outlet
ralph lauren uk
basketball shoes
tory burch outlet
polo ralph kids
coach factory outlet
ralph lauren polo
michael kors outlet clearance
coach factory online
uggs on sale
christian louboutin pas cher
nike air max 90
ray ban sunglasses outlet
true religion sale
toms shoes
authentic louis vuitton handbags
coach factory outlet online
washington wizards jerseys
ugg boots
michael kors purses
jordan 11
ugg boots
uggs outlet
kate spade outlet
gucci handbags
cartier watches

7:13 PM, September 07, 2016

Blogger chenlina said...

michael kors handbags
toms shoes
ugg boots
replica watches
nike outlet store
coach outlet
ugg boots
kate spade
michael kors outlet
golden state warriors jerseys

7:52 PM, October 17, 2016

Blogger Denature said...

Menghilangkan Kutil Di KemaluanSebagai penambahan, diduga hal yang menjadi penyebab munculnya kutil pada uretra pria adalah karena rasa nyeri yang terjadi pada saat buang air kecil. Saat ini juga sudah banyak obat dan perawatan yang dapat dipilih penderita, namun tidak semua dari obat dan perawatan itu dapat efektif menyembuhkan secara total. untuk cara pemesanana silahkan kunjungsitus kami

obat tradisional wasir eksternalWasir adalah pembuluh darah teriritasi dan meradang terletak di anus, sedangkan kanker disebabkan oleh sel-sel yang berkembang biak di luar kendali. untuk cara pemesanana silahkan kunjungartikel selanjutnya

obat kelamin pria keluar nanahPerbedaan yang kedua terletak pada cairan nanah yang dikeluarkan saat buang air kecil. Pasien gonore atau kencing nanah akan mengeluarkan cairan nanah ketika mereka buang air kecil, sedangkan pasien sipilis atau raja singa tidak mengalami hal ini. untuk cara pemesanana silahkan kunjungartikel selanjutnya

obat ambeien yang alami

1:52 PM, November 16, 2016

Blogger chenmeinv0 said...

air jordan shoes
coach outlet online
chaussures ugg
christian louboutin
mcm handbags
louis vuitton outlet online
nike roshe run pas cher
montblanc pens
adidas outlet
canada goose outlet

10:34 PM, January 03, 2017

Blogger Unknown said...

replica watches
tiffany and co outlet
indianapolis colts jerseys
ravens jerseys
broncos jerseys
omega watches for sale
san diego chargers jerseys
boston celtics
michael kors handbags
supra shoes sale

12:32 AM, March 16, 2017

Blogger shengda xu said...

michael kors bags
christian louboutin outlet
ralph lauren sale
ray ban sale
coach factory outlet online
yeezy boost 350
coach outlet online
moncler jackets
parada bags
cheap jerseys

6:49 AM, April 18, 2017

Blogger shengda xu said...

discount oakley sunglasses
hollister kids
vans store
polo ralph lauren outlet online
adidas outlet store
jerseys cheap
adidas outlet online
vans outlet
yeezy boost 350
moncler jackets

2:45 AM, July 14, 2017

Blogger Quang Đào Duy said...

Chung cư Green Pearl nằm trong quần thể Dự án Green Pearl tại số 378 Minh Khai, Vĩnh Tuy, Hai Bà Trưng, Hà Nội là một vị trí đắc địa thuộc cửa ngõ phía Nam của Thủ đô, tiếp giáp với đường Minh và KĐT times city. Căn hộ chung cư cao cấp Green Pearl sẽ mở ra không gian sống xanh, trong lành, KHÔNG ồn ào, KHÔNG khói bụi ngay trong lòng đô thị.
Chung cư Green Pearl

7:20 AM, August 27, 2017

Blogger Cretu Ciprian said...

Your blog is very interesting, fascinating and more so very helpful. There is nothing good as finding quality information, and really i can say that this is one of the best. Thanks for sharing. If you love games, you know aquí está la página friv to play for free whenever you want. Thanks!

9:32 AM, March 21, 2018

Blogger Alyson ning said...

I don't apperceive what it is about the bendable blow and matte finish, but I accept a anemic atom for printed suede Christisn Louboutin Outlet. One of the best brands to cull this off is YSL Wallet Outlet. I accept to acquaint you about a backpack attraction of mine. I am in fact mad at myself that I did not splurge on the Ralph Lauren Polo Outlet Croc Muse Two which has two colors that I admire with a sueced croc pattern. To see a formed suede accomplishment off a Red Bottoms Outlet that I already adore, my affection melts. Replica Watches are additionally pretty reflective of their user's persona. Amazing furthermore multi-colored Replica Watches are commonly worn because of the younger. Conversely, exquisite dress Swiss Rolex Replica are regularly sported by highly developed gentlemen. And then usually there's the luxurious Swiss Replica Watches worn by the individuals who're properly to complete. Check out observing your mates furthermore you can before long see how the layouts are actually ranging.

2:03 AM, April 26, 2018

Blogger jing dong said...

balenciaga shoes
curry 5
nba jerseys
adidas nmd runner
gucci belt
christian louboutin shoes
tom ford sunglasses
kyrie 3
michael kors handbags
adidas nmd

12:52 AM, May 26, 2018

Blogger Yaro Gabriel said...


supreme uk
pandora charms
ysl outlet
longchamp bags
jordan shoes
merrell shoes
diesel jeans
hermes outlet
supreme clothing
canada goose outlet

1:14 AM, May 30, 2018

Blogger Stjsrty Xtjsrty said...

canada goose outlet
moncler jackets
louboutin shoes
canada goose jackets
mbt shoes
moncler uk
true religion outlet
michael kors outlet online
basketball shoes

7:10 PM, July 15, 2018


Post a Comment

Subscribe to Post Comments [Atom]

<< Home


If you like this blog, you might also like top photography schools.