Cenzic 232 Patent
Paid Advertising
web application security lab
« XST is Alive… it’s Aliiiiive
OpS Opera Weirdness »

Potential Use For the Java XST

Jeremiah and I were talking about more potential uses for the XST stuff he came up with. Although it’s not particularly useful for the original purpose he came up with it for (due to the fact that it is using Java and Java doesn’t send the cookies necessary for real credential theft) it does have one other interesting potential use. Because it connects out of bounds of the client (and pretty much ignores the client in general) it’s a pretty slick way to de-anonymize users.

Although it doesn’t use the browser’s normal credentials it does bypass proxies pretty nicely. So unless the client is set up to send all TCP packets through another host, this would do a nice job of allowing the website to know the real address of the user. I will say, however, that due to it’s buggy nature and the fact it basically causes my browser to hang, it may not be optimal, but rarely things are with these sorts of hacks. Interesting anyway!

This entry was posted on Tuesday, May 1st, 2007 at 5:51 pm and is filed under XSS, Webappsec. Responses are currently closed, but you can trackback from your own site.

5 Responses to “Potential Use For the Java XST”

  1. Jeremiah Grossman Says:
    May 1st, 2007 at 6:20 pm

    via Wladimir Palant, for more information: http://webwarper.net/wwantianonymizer.htm#wwaa

  2. Wladimir Palant Says:
    May 1st, 2007 at 7:44 pm

    I also mentioned that you can configure a proxy for Java, and the default is “use browser settings” (where “browser” seems to mean “Internet Explorer”) - so this has very limited use.

    However, Flash has its XMLSocket that doesn’t go through the browser either and I am not aware of any way to configure a proxy for it. Only disadvantage: it isn’t HTTP. So either you need to run a specialized server to receive connections or you can keep Apache but need a way to handle malformed HTTP requests (mod_perl could do this).

    Still not a reliable solution however - it is enough if the user runs a software firewall that disallows direct connections and the de-anonymization will no longer work.

  3. Ronald Says:
    May 2nd, 2007 at 7:28 am

    Okay, In case I don’t understand it’s use completely: I do not actually see the difference with when one tries to make a simple socket connection through Java, just like we did with JavaScript.

    How far differs this method from it?

  4. boro Says:
    May 2nd, 2007 at 12:42 pm

    If java is using “use browser settings” by default, and if it is settings of default browser, than for de-anonymization to work we need to run non default browser whick is not likely to happen.

  5. Jordan Says:
    May 3rd, 2007 at 9:07 am

    @Wladimir — would using the raw socket call still use the proxy? Seems like it wouldn’t because as far as Java knows, you’re not speaking HTTP. Seems like it ‘d be easy enough to test with Jeremiah’s code if I had a bit mire time. :-) (anyone?)