Wednesday, November 29, 2006

Bypassing Mozilla Port Blocking

To protect against the HTML Form Protocol Attack, which would allow the browser to send arbitrary data to most TCP ports, Mozilla restricted connections to several dozen ports. For example, click on http://jeremiahgrossman.blogspot.com:22/ See the screen shot:



I think it was RSnake who found this first, but the blocking mechanism seems to be only applied to the http protocol handler. Odd. Using the ftp protocol handler, we can bypass the block like so: ftp://jeremiahgrossman.blogspot.com:22/ If the port is up, it'll connect, if not, timeout.

I believe this technique could be used to improve JavaScript Port Scanning, where we’re currently only scanning horizontally for web servers (80/443). Instead we may be able to perform vertical port scans on the remaining ports and bypass the imposed restrictions. Perhaps also useful for the Browser Port Scanning without JavaScript technique.

6 comments:

Jamuse said...

that's odd. I get 'This address is restricted ... Firefox has cancelled the request ..." when I tried to access an ssh server via the ftp method you showed.

Jeremiah Grossman said...

Hmmm, the ftp link should have given a "The connection has timed out" message after a minute or two.

Jamuse said...

Just to follow up, when testing on firefox on a debian fox I got the "Firefox has cencelled this request" message. When I tested on firefox on WinXP I did get the "connection has timed out"

Anonymous said...

Hate to be a nick picker, but I doubt it was RSnake who found this first. He was most likely the person you know who found this first. I bet the first person was the person who implemented this predicted behavior into firefox.

Jeremiah Grossman said...

That's probably fair enough.

tu said...

awesome, firefox has been upgraded because of it. Congrats.