The Un-Official Proxomitron Forum

Full Version: Reading IP with Java from Javascript
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
I came across a site that can read my IP number behind my router by using Java code within a Javascript file. I do not like the idea that someone can do that. Is there any way BFilter could block it? The code fragment is here:
Code:
function ip() {
    try {
         // credits: pdp.
         var sock = new java.net.Socket();
         sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
         sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
         hostname = sock.getLocalAddress().getHostName();
         address = sock.getLocalAddress().getHostAddress();
         document.write(address);
        
         } catch(e) { }
}
The URL is: http://blackdragon.jungsonnstudios.com/
Siamesecat Wrote:I came across a site that can read my IP number behind my router by using Java code within a Javascript file. I do not like the idea that someone can do that. Is there any way BFilter could block it? The URL is: http://blackdragon.jungsonnstudios.com/

Nothing here, I'm running proxo with Sidki 09-03-06 and Kye-U 4.56

I used this before on proxo

Name = "Prevent Java reading your IP"
Active = TRUE
Limit = 30
Match = "(VALUE=DOMAIN|value=domain)(>|)\1"
Replace = "VALUE=R_HOST\1"
I thought this section was about BFilter. I am talking about something I encountered with a Macintosh, which is using BFilter.
Although it's possible to write a filter that doesn't let the code you provided run, but it's always possible to modify it in such a way that the filter won't catch it.

BTW, I don't see how the Proxomitron filter mentioned above can match that code, which kind of proves my point.
The reason why determining the private IP didn't work for elshaddai could be that his browser doesn't allow such things, or maybe he doesn't have Java installed at all.
I tested Firefox, Safari and Konqueror (didn't test IE, sorry) and the code only works on Firefox.

I see only one solution that will work 100%: completely disabling Java in your browser. Note that JavaScript doesn't really matter here. I could achieve the same effect by writing a Java applet and sending your private IP to the server without a single line of JavaScript.
What is the key expression in that code to block? If I wanted to make a capability policy for Firefox to stop that code from working, how would I do it? The only setting like that that I have is this, which is for something completely different, but it should give an idea of what I mean.
Code:
user_pref("capability.policy.default.Location.hostname.set", "noAccess");
We need to disallow direct connections from Java. I would kill any scripts that contain "java.net.", but that won't help. As I said, this can be done with a Java applet, without any JavaScript.

Actually, even with Java disabled, it's still possible to reveal your real IP. All you need is to force some plugin or protocol handler to make a direct connection to the target host. It could be a media player or an FTP client. More info here: http://uk.geocities.com/osin1941/exposingtor.html
Little Snitch seems to pop up whenever I use anything to connect to a FTP site. At least I get some warning.
I looked at my about:config page in Firefox, and it seems that the "capability.policy" syntax is not recognized any more. I presume it has been superceded entirely by the "dom.disable" syntax.
"dom.disable." only affects JavaScript, not Java. As far as I can tell, it's not possible to disable certain features in Java, you can only disable it completely with security.enable_java = false.

A firewall can certainly help here. If I needed 100% anonymity, I'd do the following:
1. Set up another OS in WMWare or Parallels.
2. Set the SOCKS proxy in Firefox and (in case of OSX) System Preferences to localhost:9050 (Tor).
3. Only allow Tor to access the Internet.
My problem is just that I do not like my local IP number behind my router being displayed.
That's a minor problem really. Your real IP is probably local, like 192.168.*.* or 172.16.*.* or 10.*.*.*. Such IPs are not unique and can't be used to identify you. What's more important is that your router IP is also visible, even when using Tor. I think disabling Java in Firefox is a good enough solution for most people. There are few websites that require it.

P.S: Although it's possible to access Java from JavaScript, these are different things and disabling one doesn't disable the other.
I am aware of the difference between Java and Javascript. I actually have a filter for Proxomitron, an old one that I modified a bit, that stops that exploit cold. It shows no information when I use that filter. I do not have anything comparable for the Macintosh, however.
I have another question about the filters in BFilter. It seems to me that external javascript documents are not filtered. The only content-type that is shown is for xhtml, but content_type text/javascript is absent. Why is this? Any window-altering or popup script that can be put into html can also be used in an external .js file.
Filtering external scripts should work. Set Content-Type to * and set an URL pattern. You could set Content-Type to text/javascript, but some scripts are served as text/html.
If I just wanted to block java from fetching an IP address, would I need to insert "content_type = *" followed by "search = /java.net./"? I should not need any replacement just to remove something, should I? Could I add that to the special filter that you already wrote for me?
You are not going to achieve much.
There a are millions of ways to write that code.
Instead of writing java.net.Socket(), I could write:
java['net'].Socket()
java['n'+'e'+'t'].Socket()
someFunc()[otherFunc()].Socket()

Or, I can write no JavaScript code at all, and write a Java applet instead.

Anyway, answering your question, the following filter should do what you want.
Code:
[Block java.net in external scripts]
content_type = *
url = http://evilhost.com/*.js
search = java.net
replace = null
Thanks for the help. To block that code in either a .js file or a .html page, could the URL be made more general, as in:
url = http://*.(js|html|htm) ?
Is "|" used as OR as in Prox?
Pages: 1 2
Reference URL's