-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibility of Blocking Requests to localhost and Reserved IP Addresses by websockets? #1070
Comments
What are the possible issues adding
I imported the list and I see no impact on performance as per built-in benchmark. I did see a request from the benchmark which is being blocked by that list and which was not blocked:
|
@gwarser could probably comment... But what if a site assigns a hostname to one of these IP addresses? In such a case, would these IP blocks by regex still catch those? If not we may need to think about that too... |
Well it's possible to block at onHeadersReceived() time and the ip address information is available at this point, so theoretically uBO could ensure the ip address is not a local one. In that case that would not be a matter of filter list, but maybe a per-site switch. |
The amazing thing is that this is apparently a feature and not a bug in most browsers... So I guess the question is whether it would be worthwhile to just use the list, or as your suggested per-site switch... The author of this article, which discusses and shows some of the more malicious possibilities with a stock Firefox: https://medium.com/@stestagg/stealing-secrets-from-developers-using-websockets-254f98d577a0 Has provided a websocket portscan test here, but it uses IP and not hostnames...still, useful for peace of mind on that front...minus domains: |
as pointed out by @gorhill in uBlockOrigin/uBlock-issues#1070
NoScript had "ABE (Application Boundaries Enforcer") enabled by default which basically blocked access from non-local domains to local domains (so opening 127.0.0.1 could still access 127.0.0.1, but internet websites could not). This helped against attackes like https://chaoswebs.net/blog/timebleed-breaking-privacy-with-a-simple-timing-attack.html (using pictures that are by default never blocked in uMatrix). Since NS removed this feature I had no use for it anymore and switched to uMatrix with a blocklist like this: https://www.privacy-handbuch.de/handbuch_21g.htm Are those giant regex even necessary @gwarser ? The 127.xxx one for example is written in this guide only as As what does a WSS register in uMatrix? Fetch/XHR? |
I think the regex is there to protect all of the IANA reserved IP range...
…On 5/26/20 9:08 PM, ganego wrote:
NoScript had "ABE (Application Boundaries Enforcer" enabled by default
which basically blocked access from non-local domains to local domains
(so opening 127.0.0.1 could still access 127.0.0.1, but internet
websites could not). This helped against attackes like
https://chaoswebs.net/blog/timebleed-breaking-privacy-with-a-simple-timing-attack.html
(using pictures that are by default never blocked in uMatrix).
Since NS removed this feature I had no use for it anymore and switched
to uMatrix with a blocklist like this:
https://www.privacy-handbuch.de/handbuch_21g.htm
For a long time I wondered why uMatrix (or uBlock) does not come with
this feature by default & enabled since it's just a few rules that
need to be added.
Are those giant regex even necessary @gwarser
<https://github.com/gwarser> ? The 127.xxx one for example is written
in this guide only as |||127.0.*^$important,third-party| whereas you
have some giant regex that is probably much slower? Same with 172
where it might be faster just adding those 16 prefixes separately?
As what does a WSS register in uMatrix? Fetch/XHR?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1070 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADFIOWPSK4FBUZNAUC7GWLRTRY2PANCNFSM4NKQJFZA>.
|
Web devs could get mad if this is implemented. Third-party requests to localhost are often used to detect the presence of an application on a user's computer, which can be malicious, but also serves a purpose. For example, discord uses websockets on localhost to determine if a user already has the discord application installed, and communicate between the website and application. This happens on invite pages like this: Another example - website-application communication on localhost also occurs on |
Quite frankly it's none of their damned business because this behavior
is in and of itself malicious in the case of checking multiple ports.
If we can't address this fully here it should be a permissions system
built into Firefox, similar to canvas permissions IMO...as should the
ability to embed chrome:// images and CSS fingerprint.
…On 5/26/20 9:28 PM, LE wrote:
Web devs could get mad if this is implemented. Third-party requests to
localhost are often used to detect the presence of an application on a
user's computer, which can be malicious, but also serves a purpose.
For example, discord uses websockets on localhost to determine if a
user already has the discord application installed, and communicate
between the website and application. This happens on invite pages like
this: |https://discord.com/invite/valorant|
Another example - website-application communication on localhost also
occurs on |https://screencast-o-matic.com/screen-recorder|. (click the
|Launch Free Recorder| button)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1070 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADFIOUPTBJRCUD7WIMKTNLRTR3DHANCNFSM4NKQJFZA>.
|
Interesting, they seem to actually use the TimeBleed attack vector whereas discord uses some XHR according to uMatrix. |
Yes. You can have local server hosted on any IP. Does not matter if Ebay is scanning only
This filter is not valid - IP is not equal domain. It will match Replacing
In uBO these Regular Expressions are tokenized - plain strings are extracted from them. In these filters it will be first octet (
@gorhill exposing second octet will help with tokenization? I'm pretty sure ipv6 address filters from https://www.privacy-handbuch.de/handbuch_21g.htm are also wrong. For example |
|
This has now even made it to Schneier: |
After doing some research, I've found that these fingerprint scripts are all hosted via CNAME on the same domain, which uBO already blocks when CNAME checking is on:
Beyond that, it usually is served up as one ore more of these:
It's used by a lot of sites:
Someone also has built a payload decryption tool: https://gist.github.com/nemec/ea6b21bcd027b81ac1e3fbcfeb01db3e |
The linked spreadsheet in that article...those domains should probably make it into the blocklists. https://docs.google.com/spreadsheets/u/1/d/1Nu4lpyZ5PQUIpiLJBddXnr67t5-1y0u40dzyzSYj1gc/preview |
No need to add any of those hostnames, |
Yes, I just discovered this fact...
[opens mouth and inserts foot]
…On 5/30/20 3:05 PM, Raymond Hill wrote:
No need to add any of those hostnames, |online-metrix.net| is already
blocked by both EasyPrivacy and Peter Lowe's.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1070 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADFIOX4FBEDI3OBGJQNR23RUFRHLANCNFSM4NKQJFZA>.
|
What is still missing in my list is ipv6 handling https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses. No one will scan these from a to z, but some software can still be listening on one [address, so specialized fingerprinting scripts may look only for these specific addresses]. Calculator https://www.vultr.com/resources/subnet-calculator-ipv6/
I'm not sure my filters above are actually valid or if these addresses can be so easily matched by simple text comparison with wildcard. Is And dang :/ -
I will add these filters if they look good for you (anyone?). How to efficiently add Testing tokenization: https://regex101.com/r/gNYvlE/2 [rev. 2 start and end of string anchors must be removed] Hmmm, |
I think @gwarser 's list is worth being added to stock lists but with default-disabled until/unless we gather enough evidences that it doesn't cause FP as warned by @llacb47 . I have been blocking these local accesses, though with problematic rules until I see it, and want to think there was no serious FP but IIRC some videos made requests to these local addresses which I haven't investigated. Security-conscious people have long been trying to block these accesses but unfortunately rules shared on Wilders or Malwaretips are wrong and don't work. I know nothing can stop those people from importing wrong or poorly written filters but making a proper list included in stock lists will mitigate this. (Off-topic) @ilikenwf |
There's a problem.
Regex filters will not be tokenized because of And if someone will like to use IP scanning maliciously, it's very easy to convert ipv4 to ipv6 gwarser/filter-lists#6 I think special syntax for IP addresses is needed. |
You all realize we're the first ones to actually even address this issue? Not even mozilla has commented..."it's a feature, not a bug..." |
@ilikenwf No this has been known for years now, especially since NS lost ABE, with several "exploits" using this "bug". Unfortunately nobody really cares. I still think uB and uM should come with a default enabled blocklist that works like ABE. |
Well |
Given I see no impact on benchmarking results, should I offer this list as an option in stock filter lists? Under "Privacy"? (Not enabled by default) |
You can halve the number of regex filters to maintain by simply replacing |
+1 but another option will be to put under Malware domains (better to rename Security if possible). These rules will prevent CSRF (and DNS binding, if anyone care about) to routers, essentially the superior alternative of now-gone Noscript's ABE. You can see how many home routers have suffered CSRF vulnerability nowadays by just searching in CVE database. |
This wouldn't take care of DNS rebinding, for this uBO would need to filter according to IP address information, not request URL. IP address information become available at webRequest.onHeadersReceived() time in Firefox, later at webRequest.onResponseStarted() time with Chromium. |
@gorhill Ah, you're right, as it makes the victim to access local IP as |
A bit off-topic but uBlock tries to uncloak CNAME before actual HTTP request is fired, right? |
Yes. |
as pointed out by @gorhill in uBlockOrigin/uBlock-issues#1070
Enabling Block Outsider Intrusion into LAN list is the solution for this issue. |
I'm currently using a rules list from here, which should do this, however in theory someone suggested a hostname could be assigned to an internal IP to bypass it (not sure how true this is):
https://github.com/gwarser/filter-lists/blob/master/lan-block.txt
Are there any solutions to restricting websocket access to local network IP addresses?
For more specific targeting, it appears ebay uses check.js from some threat assessment company:
http://ghacks.net/2020/05/25/ebay-is-port-scanning-your-system-when-you-load-the-webpage
The text was updated successfully, but these errors were encountered: