(http.jameshfisher.com)

652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 0.216s | source

Show context

founderling ◴[28 May 19 08:58 UTC] No.20028376[source]▶

>>20028108 (OP) #

I started a local webserver listening on localhost:80 just to see what happens, but this thing seems to not detect it. It shows me "Scanning localhost ... localhost complete."

Edit: My guess is that this thing can only detect servers that send a CORS header that permits cross domain access.

It could probably do way better detection if it did not do xhr requests but added script/css/whatever elements to its own page pointing to localhost and detects if those error out.

replies(5): >>20028381 #>>20028422 #>>20028443 #>>20034079 #>>20036964 #

ozim ◴[28 May 19 20:30 UTC] No.20034079[source]▶

>>20028376 #

I started python -m SimpleHTTPServer 5000 and site reports nothing, but I get: 127.0.0.1 - - [28/May/2019 22:14:51] "GET / HTTP/1.1" 200 - each time I refresh page. So it sends request that is received by server but somehow does not register on site.

replies(1): >>20035046 #

Skunkleton ◴[28 May 19 22:27 UTC] No.20035046[source]▶

>>20034079 #

Because your browser is preventing the javascript from accessing the response.

replies(1): >>20037161 #

1. lostmsu ◴[29 May 19 05:53 UTC] No.20037161[source]▶

>>20035046 #

I wonder if one can read the response via the time side-channel attack.

↑

I can see your local web servers