Posted by Craig Young on Sep 22

I recently came across an interesting PoC on GitHub for utilizing STUN to
determine a local LAN IP via JavaScript. This was surprising to me since I
thought you generally shouldn’t be able to identify the LAN IP in
JavaScript so I have started using this in CSRF exploit demonstrations.

A brief explanation including a link back to the original work is on the
Tripwire State of Security blog here:…