Vulnerabilities in private networks are difficult to detect for attackers outside of the network. While there are known methods for port scanning internal hosts that work by luring unwitting internal users to an external web page that hosts malicious JavaScript code, no such method for detailed and precise service identification is known. The reason is that the Same Origin Policy (SOP) prevents access to HTTP responses of other origins by default. We perform a structured analysis of loopholes in the SOP that can be used to identify web applications across network boundaries. For this, we analyze HTML5, CSS, and JavaScript features of standard-compliant web browsers that may leak sensitive information about cross-origin content. The results reveal several novel techniques, including leaking JavaScript function names or styles of cross-origin requests that are available in all common browsers. We implement and test these techniques in a tool called CORSICA. It can successfully identify 31 of 42 (74%) of web services running on different IoT devices as well as the version numbers of the four most widely used content management systems WordPress, Drupal, Joomla, and TYPO3. CORSICA can also determine the patch level on average down to three versions (WordPress), six versions (Drupal), two versions (Joomla), and four versions (TYPO3) with only ten requests on average. Furthermore, CORSICA is able to identify 48 WordPress plugins containing 65 vulnerabilities. Finally, we analyze mitigation strategies and show that the proposed but not yet implemented strategies Cross-Origin Resource Policy (CORP)} and Sec-Metadata would prevent our identification techniques.

翻译：私人网络的不稳定性很难为网络外攻击者探测到。 虽然有已知的港口扫描内部主机的方法, 将内部用户不经意地引入一个外部网页, 以隐藏恶意 JavaScript 代码, 但却不知道这种详细和精确的服务识别方法。 原因是同源政策( SOP) 阻止获取 HTTP 对其它来源的默认反应。 我们对SOP 中的漏洞进行了结构化分析, 可用于识别网络边界之外的网络应用程序。 为此, 我们分析符合标准的网络浏览器的 HTML5、 CSS 和 JavaScript 功能, 从而可能泄露关于跨源内容的敏感信息。 结果显示了若干新技术, 包括泄漏 JavaScript 函数的名称或所有通用浏览器中可用的交叉请求的风格。 我们在一个名为 CORSIICA 的工具中实施并测试这些技术。 它能够成功地识别在不同的 IOTO 设备上运行的42( 74% ) 的网络服务, 以及四个最广泛使用的内容管理系统的版本 OW- DWPress、 Drupal、 JOFDODL 和OTY 平均版本。