The JavaScript - IP Debate - Test Results.

I have been reading many posts on this forum about whether JavaScript, Java, and Flash can expose one's real IP address behind a proxy.

I think the first issue is to determine what content is enabled in the browser. Websites do not need Flash and Java but they do need JavaScript. The web is dysfunctional without JavaScript.

In order to attempt to discover the "truth" of this matter I have configured my browser (Firefox 3.5.8 using Ubuntu 9.10) with a static Tor address using StrictExitNodes. The Tor node is UBIT2 located in Austria with the IP address 78.142.140.194. I am using Polipo on port 8118 which then passes information to Tor. I have JavaScript enabled but all other content (Java, Flash, etc) is disabled using the browser's Edit / Preferences menu.

I then connected to the following five "testing" services and display the results below.


Browserspy.dk:

IP:
IP Address 78.142.140.194
Hostname 78.142.140.194
Country AT - Austria
Region City: Vienna
Latitude: 48.2
Longitude: 16.3667
Long IP number 1317964994
Proxy You're not using a proxy or it could not be detected. Not all proxies identifies themself.
Local IP address
Unable to detect due to: TypeError: tmp is null

Headers:
REMOTE_ADDR 78.142.140.194


Deanonymizer.com:

For the first test I did not agree to download any of the files.

Test ID: 603941815071225
Date: 4:29:09 PM 3/16/10
Area: Vienna, Wien
Country: Austria
Your IP Address: 78.142.140.194
Spoofed IP Address: 78.142.140.194
Network Name: Tor Network
Uplink: SIL-UBIT

# Status IP Test Description
1 NOT DETECTED Windows Media Player: Real Time Streaming Protocol (RTSP URI): If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
2 NOT DETECTED Windows Media Player: <BANNER> tag in playlist: If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
3 NOT DETECTED Windows Media Player: NetBIOS/WebDAV URI: If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
4 NOT DETECTED Adobe PDF server collaboration: If adobe does not use a proxy, then this can leak your IP address.
5 NOT DETECTED NEWS/NNTP URI: If your news group reader is not set to use a proxy, then it will leak your real IP address.
6 NOT DETECTED Internet Explorer 5.5/6/7/8: Local and remote file disclosure vulnerability. This 0-day will attempt to contact the server using WebDAV to report your real IP address, report your username, computer name, and domain name.
7 NOT DETECTED Internet Explorer 5.5/6/7/8: Local and remote file disclosure vulnerability This 0-day will attempt to contact the server using WebDAV to report your real IP address.
8 NOT DETECTED Apple Quicktime Playlist: HTTP URI If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
9 NOT DETECTED Apple Quicktime Playlist: FTP URI If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
10 NOT DETECTED Apple Quicktime Playlist: Real Time Streaming Protocol (RTSP URI) If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
11 NOT DETECTED Apple Quicktime Playlist: NetBIOS/WebDav (FILE URI) If your media player does not respect your web browser's proxy settings, then your media player can leak your real IP address.
12 NOT DETECTED DNS Leakage: Many proxies and VPNs do not handle DNS request securely, which can cause your real IP address to leak.
13 PASSED 78.142.140.194 Embedded Object: Apple Quicktime Playlist: HTTP URI
14 PASSED 78.142.140.194 Embedded Object: Apple Quicktime Playlist: FTP URI
15 NOT DETECTED Embedded Object: Apple Quicktime Playlist: NetBIOS/WebDAV URI

I then did the same tests but downloaded all the files it requested and obtained the same results as above.


Frostjedi.com:

78.142.140.194
Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1. Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=utf7

Frostjedi.com - using moz-binding:

78.142.140.194
Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1. Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8
http://www.frostjedi.com/terra/scripts/ip_unmasker.php?mode=quirks


JonDonym - Anonymous-proxy-servers.net/en/anontest:

IP address:
78.142.140.194 (Tor) You are using Tor for anonymous surfing. This is also a good anonymisation service, but because of some organisations misusing Tors exit nodes we recommend JonDonym. Moreover, JonDonym services with costs offer an adequate performance.


Metasploit - Decloak.net:

Field Data Dependency
External Address 78.142.140.194 Browser
Internal Host unknown Java
Internal Address unknown Java

DNS Server (Java) unknown Java
DNS Server (HTTP) unknown Browser
DNS Server (FTP) unknown Browser
DNS Server (Word) unknown Office
DNS Server (iTunes) unknown iTunes
DNS Server (Quicktime) unknown Quicktime

External NAT (FTP) unknown Browser
External NAT (Java) unknown Java
External NAT (Flash) unknown Flash
External NAT (Word) unknown Office
External NAT (iTunes) unknown iTunes
External NAT (Quicktime) unknown Quicktime


I would suggest these tests are not conclusive. However, none of the tests was able to acquire my real IP address.

Often I have seen posters state that it is possible for JavaScript to be configured on a website to obtain the client IP even when the client is behind a proxy. If so, can someone point me and other forum users to an online test where this is demonstrated. I am talking about JavaScript, not Java.

 

I am surprised this is not of interest considering previous debates.

Oh well...

 

Given that I'd been flogging the issue for so long, I decided to lurk. I did check them all, though. Using xB VPN and XeroBank, none of them get my true IP. That includes, BTW, allowing the Decloak.net Flash to run. That's the toughest test I've seen, FWIW.

 

Nice effort buddy....you really dug deep enough!!

Should we conclude that JavaScript ALONE can NOT determine true IP?

 

The reason I did these tests was to encourage this very question: can JS alone get the IP.

My impression is "no" but other posters say in theory - but perhaps not in practice - JS can get the IP.

My experience shows that when Flash is "on" my real IP can be obtained from behind the Tor proxy which is why, no doubt, hierophant regards this test as "the toughest". So turn Flash "off"!

Would anyone else like to continue this JS - IP debate?

 

Yes, and least in some circumstances. There are cross-site-scripting exploits that can allow access to home routers, depending on the router. If you can access the router config then obtaining the IP is trivial.

Here's one link
http://ha.ckers.org/blog/20070215/router-reconfiguration-xss/
Google for more

 

FWIW, the intro paragraph ends with "A properly configured Tor setup should not result in any identifying information being exposed." I've taken that to mean when allowing all of the tests to fully run (e.g., opening the Word doc, and letting the Flash "movie" run). Using XB Browser and connected to XeroBank, this tool doesn't obtain my true IP, even without blocking any of the tests.

 

While we're on the topic of exposure, I had an idea for how to configure a system that could allow flash, java, javascript over tor while preventing leaks.

If the OP is up to the challenge here is the configuration:

1. Build a VM with your base OS. Windows or Linux.
2. Install or configure your firewall to deny all network activity.
3. Manually configure your IP address on the OS, do not set DNS servers. (Removes ability for DNS leaks).
4. Install tor, and allow it alone to have access to the network.
5. Configure your browser to use tor.
6. Adjust permissions on firewall to allow browser and tor to connect.

The result is, everything from the browser should be forced over tor. Anything that attempts to connect to the internet directly gets blocked by the firewall. Its good in theory, but perhaps I'm overlooking something?

 

I have read this link and am not sure it answers my question mostly because I phrased my question badly.

The issue is not can JS get the IP but can JS get the IP if the user is behind Tor.

If someone is using Tor (and privoxy) can JS alone get the "real" IP of the user? Having used www.decloak.net and the other "testing" sites with JS on my believe is "negative". I assume that if it is possible then someone will code a website to demonstrate this.

 

With this exploit, if you meet the strict criteria (certain models of router, I think you even have to be logged in to the router when the xss is run), then it doesn't matter if you are behing Tor or any other VPN, the script runs on your machine, looks at your router, gets your IP adress from your router and sends it to the person running the exploit. Yeah, it's just a proof of concept exploit, and yeah, it only affects a subset of users, but in that particular case your IP address could be revealed even if you are using Tor.

Verizon FiOS Router XSS Proof-of-Concept:
http://samy.pl/vzwfios/index.htm

 

Just tried the Verizon FiOS Router XSS Proof-of-Concept: posted by mvario





The FF NoScript ABE module intercepts the attempt

I do not use a router, instead modem and FW. Whether this makes a difference to the tests ? If it does, another good reason i choose not to use a router