Skip to content

JLLeitschuh/local-network-access-vulnerability-poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
200.jpg
200.jpg
 
 
README.md
README.md
 
 
index.html
index.html
 
 
server.py
server.py
 
 

Repository files navigation

Local Network Access Vulnerability POC

This repository contains a proof of concept (POC) for the local network access vulnerability described here https://github.com/explainers-by-googlers/local-network-access. It is designed to demonstrate how, due to the browser failing to require explicit opt-in by the user, an attacker can exploit this vulnerability to gain unauthorized access to a local network resources.

To be clear, this is a dead stupid simple POC. You might even say "duh, that's obviously how it works". But that's the point, this vulnerability is so simple and it's what makes it so dangerous. Browsers shouldn't be allowing local network access from a public website.

To see more cases of this vulnerability and how it has been exploited in the wild, check out this issue: WICG/local-network-access#21

How to Run the POC

  1. Open the GitHub Pages link for this repository: https://jlleitschuh.org/local-network-access-vulnerability-poc/ observe the fetch request to the local server fails.
  2. Clone this repository to your local machine.
  3. Run the python3 server.py command to start a local HTTP server.
  4. Return to the GitHub Pages link and refresh the page.
  5. Observe that the fetch request to the local server now succeeds.

This demonstrates that the browser is allowing access to local network resources without explicit user consent, which is the crux of the vulnerability.

Browsers Affected

This has been tested in the following browsers:

Browser Version OS Working
Chrome 137.0.7151.104 macOS ✅ Loads
Firefox 139.0.4 macOS ✅ Loads
Opera 119.0.5497.88 macOS ✅ Loads
Edge 137.0.3296.68 macOS ✅ Loads
Safari 18.3.1 macOS ✅ Loads *

*Safari Note

Safari doesn't allow for mixed http/https content. The demo won't work in Safari unless you load the page over HTTP instead of HTTPS. You can access the demo via HTTP with this link instead: http://jlleitschuh.org/local-network-access-vulnerability-poc/ I beleive this limitation could be bypassed by issuing a certificate for a domain that points to 127.0.0.1. This was done by Yandex for the domain yandexmetrica.com which was uncovered in the recently disclosed LocalMess research: https://localmess.github.io/#yandex-metrica

Credit

The photo used in this repository is from https://http.cat/

About

jlleitschuh.org/local-network-access-vulnerability-poc/

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages