This is a continuation of the previous post on the subject of HTML forms abuse.

Kuza55 and others suggested that I publish a list of ports that are blocked for each browser, and it seems like a good idea to better understand the attack vector. The full list of blocked ports for each major browser is now included in the appendixes section.

Should you wish to reproduce this list, this is how I did it:

Requirements:

• tcpdump kung-fu
• time

Steps:

1. Choose an internal host that is reachable. We will use 192.168.0.1 as example. We will be launching a port scan on this machine. It is important to make sure that you have no other TCP connections between your machine and this host.
2. Start tcpdump with the following switches:

   tcpdump -w browsertest.cap tcp and dst host 192.168.0.1

3. Load this page on your web browser. It will take a while - Internet Explorer can take up to a day, while other browsers (on a Mac) typically take 20 minutes or so. It doesn’t work with Mozilla (Firefox) browsers.
4. Use this python script (makes use of scapy) to extract the ports that were not hit.

If you got a more efficient way of doing this just drop me an email.

Meanwhile download the updated paper.