Can Java Script Show Real IP address?

Discussion in 'privacy technology' started by arran, Oct 19, 2008.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Hi when using a Proxy server to hide your IP for Privacy and you have Javascript turned on which you need to, to load some web pages, is there a way that the people from the servers you are connecting to can find out your real IP address if you have javascript turned on??

    if so how would you prevent Javascript from revealing your real IP address??
     
  2. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Even if you are using Tor, Javascript can still reveal your REAL IP. And many websites know this... so they refuse to work unless JavaScript is on. And if you disable Javascript, you cannot access their website features.

    Whatever you do on the internet, NOTHING can hide your details 100%.

    So don't do anything illegal or improper, because they can find you no matter what. Not even Tor or other "privacy or anonymous" services can guarantee you being 100% anonymous.
     
  3. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    the must be some sort of way to prevent javascript from showing real IP?

    is the any web filtering software which can filter in and out going javascript information?

    Or use a proxy server which does its job Properly by not allowing your IP to be transfered in Javascript.?
     
  4. firefox2008

    firefox2008 Registered Member

    Joined:
    May 17, 2007
    Posts:
    125
    Here are some demos to see if your proxy is being bypassed:

    Flash

    Java

    Javascript





    If you have FirefoxNoScript Firefox Add-on seems to help block scripts that can bypass your proxy. Also, make sure you have a well configured firewall too. Go here for a leak test.
    This isn't a perfect solution but it is a start.
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    TruthSeeker,

    Javascript, alone, cannot reveal your "real" IP.

    While there are other good reasons to disable Javascript in your browser, loss of anonymity of IP is not one of them. Many people are confused on this point. It is Java that is your worst friend when it comes to revealing your IP - not the Javascript scripting language. Keep away from active Java in your browser!
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,922
    Location:
    U.S.A.
    arran, besides JavaScript, there are other methods to find out who is visiting a Web site. For example, on a Microsoft server, a Webmaster can create an ASP page that can retrieve a Collection of ASP ServerVariables. Example 2, at the bottom of the page, demonstrates how to reveal a visitor's browser type, IP address, and much more.
     
  7. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Are you 100% certain about that?
     
  8. Eh_Greg

    Eh_Greg Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    64
    Location:
    US.
    He seems certain to me.
    These failed :) Only one I have disabled is Java.
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    yea I am using using SSH tunnel proxy, not worried about Java and Flash because I always have them disabled, but it good to know javascript doesn't reveal it because you sometimes need javascript on to view web pages.



    Would these asp servervariables show your real IP even when using a proxy??
    How would you prevent you your pc from revealing that information in example 2 ??
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,922
    Location:
    U.S.A.
    Unfortunately, yes. The REMOTE_ADDR variable returns your IP address and the HTTP_REFERER variable would show your proxy IP Adress.

    Example 2 shows what can be done from an HTML (regular Web site page) standpoint, but a good Webmaster would use a server-side ASP page, that no one can touch unless the server is hacked, to discover that information. AFAIK you can't prevent ASP server-side scripts from running unless you stop visiting that particular site.

    Whenever someone starts spamming one of my client Web site's online form, I include the above 2 variables inside the ASP code and once the info is collected, it automatically blocks their IP Address via a script. The next time they click the Submit button, the form code is processed and they are redirected to Google.
     
  11. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    None of the above proofs of concepts will reveal an IP address with Xerobank VPN. I have also tried them with Iphantom and they cannot bypass that either. Of course Iphantom is no longer available for purchase. I assume that other VPN's, or at least some of the others will protect you also.

    If you are going to use tor, it is my understanding that if you use JanusVM, you do not need to worry about Java and javascript. Use them all you like. And evidently when you exit out of the machine, it leaves nothing at all behind on your computer.
     
  12. mp3

    mp3 Registered Member

    Joined:
    Mar 19, 2009
    Posts:
    1
    Where can I test the ASP-example2?
     
  13. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,922
    Location:
    U.S.A.
    mp3, first, welcome to Wilders! Go to the w3schools.com's ASP Request Object page and under the Other Examples section, click on the Get the server variables link for the example 2 test. Be aware that this ASP script does not contain the HTTP_REFERER or any of the other Server_Variables that can be added to a Web form.
     
  14. Jim Verard

    Jim Verard Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    205
    I think we should not ask that question, but another one:

    What can we do to use Java/Javascript and at the same time, prevent our browser from sending our real IP back to the website who requested that information, using some kind of technique? I mean, if the firewall can block that request and force those callings to be redirected to your proxy/Tor node (or something similar), then you will be able to use Javascript with no restrictions... and never fear about your real IP being revealed.

    There's one thread about this subject where the firewall rules were discussed:
    https://www.wilderssecurity.com/showthread.php?p=1107681

    I think I was capable of blocking the Javascript IP reveal technique by setting those firewall rules. But I wonder if the rules can cover all possibilities if we are talking about Java/Javascript and why not, Flash.
     
    Last edited: Mar 21, 2009
  15. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    To prevent js, java, flash, etc from leaking your local information, you have to change your local information that it knows, because the implementation of these are inherently weak. To change the local environment it sees, you must run your browser in a completely virtualized environment, such as Rockate, Incognito, or xB Machine.
     
Loading...
Thread Status:
Not open for further replies.