Cenzic 232 Patent
Paid Advertising
web application security lab

Iframe HTTP Ping

A recent thread on sla.ckers.org discussing a vulnerability in neopets actually got me thinking. Spikeman posted that you could detect once the page had completed loading in an iframe using an onload event handler. More timing attacks anyone? Well that’s not all. In Firefox it actually has a peculiar behavior. In IE (as it should) the onload event handler works all the time, because the page has finished loading. In Firefox it doesn’t fire if the browser encounters an error. An error could be something as simple as the server is not up (I have not tested with other server errors).

This proof of concept shows the difference (try in IE and Firefox to see the difference). You can see that in Firefox a series of iframes can be chained together to do port scanning (including Intranet port scanning). This is obviously a known issue when talking about JavaScript includes, but this is the first time I’ve heard of anyone discussing using an iframe for this purpose.  Yet another way to do cross domain leakage (and cross firewall leakage at that). Thanks to Spikeman for alerting me to the onload event handler in iframes.

3 Responses to “Iframe HTTP Ping”

  1. ardian Says:

    mat fortit jeni :P

  2. Spikeman Says:

    Wow, I never knew my idea could be so useful.. :P

  3. MustLive Says:

    Like a tested, this trick works in my Firefox, but not in my Mozilla. And because of special settings in my Mozilla for connection errors, I can tell you that this method works only when you are using default connection error settings in your browser.