Paid Advertising
web application security lab

Server Environmental Variables in JavaScript Space

Yesterday combing through my logs I found an interesting link to a hacked server that hosted an application worth talking about (I know, it’s a stretch but bear with me). The server was hosting a peice of JavaScript served up by a company called ip2phrase. IP2phrase is an interesting service, but doesn’t have a whole lot of utility for most people reading this list, but it did give me an idea. One of the things that I find most useful is the ability to know things about people who visit my applications. One of the ways to do that is look at server environmental variables. But the problem is I’m pretty fortunate to have a server, while most people probably don’t. However, if they combine it with services like WhiteAcid’s community cookie logger or other places where they can post this sort of information it could be super useful for them to know.

So it got me thinking… why not build something similar to Ip2phrase but instead of returning location of users it returns their environmental variables? So instead of it being only availible to you, it’s also availible to anyone who visits your site or any tools that you build in HTML (like PDP’s stuff for instance). Further, if you want to use it in an XSS attack of some sort I’ve provided the variables themselves in JavaScript space. That could be super useful for attacks that need to know specific information about a browser that might not be visible in JavaScript space.

A few great examples of this are HTTP_X_FORWARDED_FOR (what IP address you are coming from if you are using a proxy) and HTTP_VIA (the name and often the type of proxy you are using) which both give you very good information about the user’s origin servers that is otherwise not visible to you in JavaScript space. Of course this could be expanded well beyond what I’ve built but I wanted to get a prototype up and running so people could play with it and let me know what you think.

Comments are closed.