Web browser anonymity threats

Anonymity in important for many people. Few years ago, it was problematic issue only for hackers, human rights workers and anonymity freaks. They want to keep they identity in secret for obvious reasons. They were traced only by law enforcement agencies and government. Today everything is much more difficult. Hundreds of advertising agencies trying to reveal identity of people to target their commercials better.

Web browser can give them so many information. For example in which languages you speak (browser shares your language preferences with sites you visit)., in which city you live (this can be obtained from IP), how big is your computer display (web page can get your display resolution), what video player or office suite you have installed (they can query installed browser plugins) and much more...

Server side

Various information are available from PHP and Apache.

This include IP address, hostname (reverse DNS lookup), source port and sometimes user name:

Your IP: 
Your hostname: 
Your source port: 
Your username: 

Those basic information are available from _SERVER associative array members named REMOTE_ADDR, REMOTE_PORT and REMOTE_USER.

Here is an example how to get hostname quering DNS using gethostbyaddr():

<?php echo gethostbyaddr($_SERVER["REMOTE_ADDR"]); ?>

In the same way we can obtain name and version of browser (HTTP_USER_AGENT). You are using:


HTTP_REFERER reveals site you come form. Currently:


We are able to check what browser accepts as a response (HTTP_ACCEPT, HTTP_ACCEPT_ENCODING, HTTP_ACCEPT_CHARSET):

HTTP_ACCEPT: 
HTTP_ACCEPT_ENCODING: 
HTTP_ACCEPT_LANGUAGE: 
HTTP_ACCEPT_CHARSET: 

Those settings may leak your language and, if you leave default settings, your browser identity.

Proxy

Proxy servers often adds new headers to those sent by browser. We can access them using HTTP_X_FORWARDED_FOR and HTTP_FORWARDED . Some proxy servers sets also headers like HTTP_CLIENT_IP, HTTP_VIA, HTTP_PROXY_CONNECTION, HTTP_XROXY_CONNECTION.

Currently they are set to:

X-Forwarded-For: 
Forwarded: 
Client-IP: 
Via: 
PROXY: 
XROXY: 

If none of above is set user is probably using direct connection. However some proxy servers (often called "high anonymous proxy" or "elite proxy") forward requests without adding any headers or even removing some headers that leaks browser identity.

Client side

Web browser may leak user identity to anyone who is able to run JavaScript. By default browsers run any script embedded into web page.


Browser identity is hold in navigator object. Its name is in navigator.appName Currently:


Browser code name (navigator.appCodeName):


Browser version (navigator.appVersion):


Finally, platform it is running on (navigator.platform):


History length (or how many pages were visited - history.length):


Screen size and dept is hold in screen object. Example code to obtain screen properties:

document.write(screen.width," x ",screen.height, " x ", screen.colorDepth, " bpp (available for browser: ", window.screen.availWidth, " x ", window.screen.availHeight, ")");

Result of the above:


Referrer can be read from document.referrer:


Using simple loop one can iterate trough installed plugins:

if (navigator.plugins.length) {
  for (i = 0; i < navigator.plugins.length; i++) {
    plugin = navigator.plugins[i];
    document.write(plugin.name, " (", plugin.filename, ")\n");
  }
}

Result of above code:


Java

If Java is enabled JavaScript can use Java VM to obtain more information from OS. navigator.javaEnabled() returns true or false if Java is enabled.


JavaScript with small help of Java can obtain client IP address with:

if (navigator.javaEnabled()) {
  addr=java.net.InetAddress.getLocalHost();
  host=addr.getHostName();
  ip=addr.getHostAddress();
  document.write(ip, " (hostname: ", host, ")");
}

Results:


Or with alternative version:

if (navigator.javaEnabled()) {
  host= window.location.host;
  port=window.location.port || 80;
  sock=new java.net.Socket();
  sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
  sock.connect(new java.net.InetSocketAddress(host, (!port)?80:port));
  addr=sock.getLocalAddress();
  host=addr.getHostName();
  ip=addr.getHostAddress();
  document.write(ip, " (hostname: ", host, ")");
} else {
  document.write("Java disabled");
}

Results:


Java applets

Another possibility to obtain IP address of client is using Java applets. Here is sample applet that tries to connect back to web server and reveal client address:

// <applet code="ShowIP" width="240" height="30"></applet>

import java.applet.*;
import java.awt.*;
import java.net.*;

public class ShowIP extends Applet {
    String m_ip;
    public void init() {
        try {
            m_ip = (new Socket(getDocumentBase().getHost(), getDocumentBase().getPort())).getLocalAddress().getHostAddress();
        } catch (Exception e) {
            m_ip = "unknown";
            e.printStackTrace();
        }
    }
    public void stop() { }
    public void paint(Graphics g) {
        g.drawString(m_ip, 10, 10);
    }
}

Applet in action:

ActiveX and other threats

ActiveX object can reveal client identity, too. Fortunately AvtiveX works only in Internet Explorer on Windows. Maybe also Flash's Action Script can be used to achieve this. If you known any other possibilities let me known.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.