To explain clearly the internal network protection function tested by Chrome, we must first give an example (a brief explanation, not a complete process, for details, please refer to CSRF (cross-site request forgery)) to help everyone understand. For example, there is a vulnerable router in the intranet environment used by Bluepoint. This vulnerability can be executed through local code (such as injection), but I have not upgraded the firmware for a long time to fix this vulnerability.

It is not easy for hackers to use this vulnerability to invade, but they can be relayed through the browser. For example, a piece of content that executes this malicious code can be embedded on a website. When I browse this web page, this malicious code can be executed.

By analogy, hackers can search for a large number of known vulnerabilities and create malicious code and then place it on some popular websites. In this way, when everyone browses, there is always a certain probability that they will encounter a device that happens to be affected by the vulnerability in the intranet, and then be invaded.

Internal network protection features:

Chrome's new internal network feature is designed to block such attacks. The explanation given by Google is: In order to prevent malicious websites from attacking devices and services through the network location of the user agent, these devices and services are reasonably set up to reside on the user's local intranet or user computer and are not accessible from the entire Internet.

To this end, Google has launched an internal network protection function that prohibits cross-site access from the public network to private network addresses, such as addresses such as 127.0.0.1 or 192.168.1.1.

Chrome will perform a pre-check when loading a web page to verify whether the request comes from a secure context and send a preliminary request to check whether the site to be accessed is an internal address (such as an HTTP server built on the intranet, a router that can be accessed through local IP).

For example, the following embedded iframe can be used to perform a CSRF attack to modify the router DNS on the local network:

<iframehref="https://admin:[email protected]/set_dns?server1=123.123.123.123">

New error message:

When such access requests are blocked, Chrome will display the error message: BLOCKED_BY_PRIVATE_NETWORK_ACCESS_CHECKS

This means that the currently visited website is trying to access an internal address. When users see such prompts, they should be alert and beware that there are some problems with the website itself.

Finally, this feature has not yet been officially launched, and will be gradually tested in various channels of Chrome.