The JavaScript - IP Debate - Test Results.

Discussion in 'privacy technology' started by dumpydonk, Mar 16, 2010.

Thread Status:
Not open for further replies.
  1. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    I have been reading many posts on this forum about whether JavaScript, Java, and Flash can expose one's real IP address behind a proxy.

    I think the first issue is to determine what content is enabled in the browser. Websites do not need Flash and Java but they do need JavaScript. The web is dysfunctional without JavaScript.

    In order to attempt to discover the "truth" of this matter I have configured my browser (Firefox 3.5.8 using Ubuntu 9.10) with a static Tor address using StrictExitNodes. The Tor node is UBIT2 located in Austria with the IP address 78.142.140.194. I am using Polipo on port 8118 which then passes information to Tor. I have JavaScript enabled but all other content (Java, Flash, etc) is disabled using the browser's Edit / Preferences menu.

    I then connected to the following five "testing" services and display the results below.


    Browserspy.dk:

    IP:
    IP Address 78.142.140.194
    Hostname 78.142.140.194
    Country AT - Austria
    Region City: Vienna
    Latitude: 48.2
    Longitude: 16.3667
    Long IP number 1317964994
    Proxy You're not using a proxy or it could not be detected. Not all proxies identifies themself.
    Local IP address
    Unable to detect due to: TypeError: tmp is null

    Headers:
    REMOTE_ADDR 78.142.140.194


    Deanonymizer.com:

    For the first test I did not agree to download any of the files.

    Test ID: 603941815071225
    Date: 4:29:09 PM 3/16/10
    Area: Vienna, Wien
    Country: Austria
    Your IP Address: 78.142.140.194
    Spoofed IP Address: 78.142.140.194
    Network Name: Tor Network
    Uplink: SIL-UBIT

    # Status IP Test Description
    1 NOT DETECTED Windows Media Player: Real Time Streaming Protocol (RTSP URI): If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
    2 NOT DETECTED Windows Media Player: <BANNER> tag in playlist: If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
    3 NOT DETECTED Windows Media Player: NetBIOS/WebDAV URI: If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
    4 NOT DETECTED Adobe PDF server collaboration: If adobe does not use a proxy, then this can leak your IP address.
    5 NOT DETECTED NEWS/NNTP URI: If your news group reader is not set to use a proxy, then it will leak your real IP address.
    6 NOT DETECTED Internet Explorer 5.5/6/7/8: Local and remote file disclosure vulnerability. This 0-day will attempt to contact the server using WebDAV to report your real IP address, report your username, computer name, and domain name.
    7 NOT DETECTED Internet Explorer 5.5/6/7/8: Local and remote file disclosure vulnerability This 0-day will attempt to contact the server using WebDAV to report your real IP address.
    8 NOT DETECTED Apple Quicktime Playlist: HTTP URI If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
    9 NOT DETECTED Apple Quicktime Playlist: FTP URI If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
    10 NOT DETECTED Apple Quicktime Playlist: Real Time Streaming Protocol (RTSP URI) If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
    11 NOT DETECTED Apple Quicktime Playlist: NetBIOS/WebDav (FILE URI) If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
    12 NOT DETECTED DNS Leakage: Many proxies and VPNs do not handle DNS request securely, which can cause your real IP address to leak.
    13 PASSED 78.142.140.194 Embedded Object: Apple Quicktime Playlist: HTTP URI
    14 PASSED 78.142.140.194 Embedded Object: Apple Quicktime Playlist: FTP URI
    15 NOT DETECTED Embedded Object: Apple Quicktime Playlist: NetBIOS/WebDAV URI

    I then did the same tests but downloaded all the files it requested and obtained the same results as above.


    Frostjedi.com:

    78.142.140.194
    Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1.:cool: Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
    http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=utf7

    Frostjedi.com - using moz-binding:

    78.142.140.194
    Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1.:cool: Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
    http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=quirks


    JonDonym - Anonymous-proxy-servers.net/en/anontest:

    IP address:
    78.142.140.194 (Tor) You are using Tor for anonymous surfing. This is also a good anonymisation service, but because of some organisations misusing Tors exit nodes we recommend JonDonym. Moreover, JonDonym services with costs offer an adequate performance.


    Metasploit - Decloak.net:

    Field Data Dependency
    External Address 78.142.140.194 Browser
    Internal Host unknown Java
    Internal Address unknown Java

    DNS Server (Java) unknown Java
    DNS Server (HTTP) unknown Browser
    DNS Server (FTP) unknown Browser
    DNS Server (Word) unknown Office
    DNS Server (iTunes) unknown iTunes
    DNS Server (Quicktime) unknown Quicktime

    External NAT (FTP) unknown Browser
    External NAT (Java) unknown Java
    External NAT (Flash) unknown Flash
    External NAT (Word) unknown Office
    External NAT (iTunes) unknown iTunes
    External NAT (Quicktime) unknown Quicktime


    I would suggest these tests are not conclusive. However, none of the tests was able to acquire my real IP address.

    Often I have seen posters state that it is possible for JavaScript to be configured on a website to obtain the client IP even when the client is behind a proxy. If so, can someone point me and other forum users to an online test where this is demonstrated. I am talking about JavaScript, not Java.
     
  2. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    I am surprised this is not of interest considering previous debates.

    Oh well...
     
  3. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Given that I'd been flogging the issue for so long, I decided to lurk. I did check them all, though. Using xB VPN and XeroBank, none of them get my true IP. That includes, BTW, allowing the Decloak.net Flash to run. That's the toughest test I've seen, FWIW.
     
  4. Sumedik

    Sumedik Registered Member

    Joined:
    Mar 6, 2010
    Posts:
    21
    Nice effort buddy....you really dug deep enough!!

    Should we conclude that JavaScript ALONE can NOT determine true IP?
     
  5. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    The reason I did these tests was to encourage this very question: can JS alone get the IP.

    My impression is "no" but other posters say in theory - but perhaps not in practice - JS can get the IP.

    My experience shows that when Flash is "on" my real IP can be obtained from behind the Tor proxy which is why, no doubt, hierophant regards this test as "the toughest". So turn Flash "off"!

    Would anyone else like to continue this JS - IP debate?
     
  6. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Yes, and least in some circumstances. There are cross-site-scripting exploits that can allow access to home routers, depending on the router. If you can access the router config then obtaining the IP is trivial.

    Here's one link
    http://ha.ckers.org/blog/20070215/router-reconfiguration-xss/
    Google for more
     
  7. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    FWIW, the intro paragraph ends with "A properly configured Tor setup should not result in any identifying information being exposed." I've taken that to mean when allowing all of the tests to fully run (e.g., opening the Word doc, and letting the Flash "movie" run). Using XB Browser and connected to XeroBank, this tool doesn't obtain my true IP, even without blocking any of the tests.
     
  8. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    While we're on the topic of exposure, I had an idea for how to configure a system that could allow flash, java, javascript over tor while preventing leaks.

    If the OP is up to the challenge here is the configuration:

    1. Build a VM with your base OS. Windows or Linux.
    2. Install or configure your firewall to deny all network activity.
    3. Manually configure your IP address on the OS, do not set DNS servers. (Removes ability for DNS leaks).
    4. Install tor, and allow it alone to have access to the network.
    5. Configure your browser to use tor.
    6. Adjust permissions on firewall to allow browser and tor to connect.

    The result is, everything from the browser should be forced over tor. Anything that attempts to connect to the internet directly gets blocked by the firewall. Its good in theory, but perhaps I'm overlooking something?
     
  9. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    I have read this link and am not sure it answers my question mostly because I phrased my question badly.

    The issue is not can JS get the IP but can JS get the IP if the user is behind Tor.

    If someone is using Tor (and privoxy) can JS alone get the "real" IP of the user? Having used www.decloak.net and the other "testing" sites with JS on my believe is "negative". I assume that if it is possible then someone will code a website to demonstrate this.
     
  10. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
     
  11. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    With this exploit, if you meet the strict criteria (certain models of router, I think you even have to be logged in to the router when the xss is run), then it doesn't matter if you are behing Tor or any other VPN, the script runs on your machine, looks at your router, gets your IP adress from your router and sends it to the person running the exploit. Yeah, it's just a proof of concept exploit, and yeah, it only affects a subset of users, but in that particular case your IP address could be revealed even if you are using Tor.

    Verizon FiOS Router XSS Proof-of-Concept:
    http://samy.pl/vzwfios/index.htm
     
    Last edited: Apr 1, 2010
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Just tried the Verizon FiOS Router XSS Proof-of-Concept: posted by mvario

    2.gif

    v.gif

    The FF NoScript ABE module intercepts the attempt :thumb:

    I do not use a router, instead modem and FW. Whether this makes a difference to the tests ? If it does, another good reason i choose not to use a router :D
     
Loading...
Thread Status:
Not open for further replies.