LAN-port-scan forbidder, browser addon to protect private network(github.com)
github.com
LAN-port-scan forbidder, browser addon to protect private network
https://github.com/garywill/LAN-port-scan-forbidder
17 comments
Extension will fail for Websocket connections since manifest fails to include ws protocol.
And also "Private Network Access: introducing preflights" (2022) https://developer.chrome.com/blog/private-network-access-pre...
> Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification.
> Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, `Access-Control-Request-Private-Network: true`, and the response to it must carry a corresponding header, `Access-Control-Allow-Private-Network: true`
> The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. These attacks have affected hundreds of thousands of users, allowing attackers to redirect them to malicious servers.
What would a browser setting to just block all PWA requests (`DENY * TO *` (to {192.168.0.1, .1.1, .100.1,}) - regardless of the appropriate new HTTP headers - actually prevent a normal user from doing?
> Chrome is deprecating direct access to private network endpoints from public websites as part of the Private Network Access (PNA) specification.
> Chrome will start sending a CORS preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server. This preflight request will carry a new header, `Access-Control-Request-Private-Network: true`, and the response to it must carry a corresponding header, `Access-Control-Allow-Private-Network: true`
> The aim is to protect users from cross-site request forgery (CSRF) attacks targeting routers and other devices on private networks. These attacks have affected hundreds of thousands of users, allowing attackers to redirect them to malicious servers.
What would a browser setting to just block all PWA requests (`DENY * TO *` (to {192.168.0.1, .1.1, .100.1,}) - regardless of the appropriate new HTTP headers - actually prevent a normal user from doing?
Are there any test pages where I can see if I'm vulnerable to this? I've been assuming that uMatrix prevents this, but this post is a good reminder to double-check
> Some manufacturers provide web for user's browser to scan LAN for their product that need updating.
So random websites can scan for out of date network components? I have no words.
So random websites can scan for out of date network components? I have no words.
Scanning the LAN through your browser is nothing new. JS-Recon from AnD Labs [0] is a tool from 2010 that could do it. I have seen eBay [1], Facebook [2], and Halifax [3] do it too, albeit for other reasons than scanning for outdated devices (fraud/loss prevention). LexisNexis' ThreatMetrix [4] is commonly used to do this.
Please note that this is a copy of a comment I made 2 years ago and I have not tested the links to see if they are still correct.
[0]: https://web.archive.org/web/20101128053633/http://www.andlab...
[1]: https://forum.ultravnc.net/viewtopic.php?f=7&t=33509
[2]: https://www.reddit.com/r/AskNetsec/comments/4j0nas/why_is_fa...
[3]: https://www.theregister.com/2018/08/07/halifax_bank_ports_sc...
[4]: https://risk.lexisnexis.com/products/threatmetrix
Please note that this is a copy of a comment I made 2 years ago and I have not tested the links to see if they are still correct.
[0]: https://web.archive.org/web/20101128053633/http://www.andlab...
[1]: https://forum.ultravnc.net/viewtopic.php?f=7&t=33509
[2]: https://www.reddit.com/r/AskNetsec/comments/4j0nas/why_is_fa...
[3]: https://www.theregister.com/2018/08/07/halifax_bank_ports_sc...
[4]: https://risk.lexisnexis.com/products/threatmetrix
[3] is pretty insane. They have to scan my network to check for malware... does that mean I can scan their network to check for malware?
[deleted]
I don't think this is useful because you may install this on your browser but what about others who are on same network?
There are many what if's, but are they always true?
What if you live alone?
What if you live alone?
webscan doesn't work on my browser