Alexandre Dulaunoy

While testing some new misp-modules, such as the OpenAPI interface, I discovered a strange behavior in Firefox when trying to reach TCP port 6666, which is the default port used by misp-modules.

It seems Firefox blocks access to a predefined list of TCP ports, and this has been in place for quite some time, as you can see in the commit log.

If you want to override the blocked port list, there is an obscure setting called network.security.ports.banned.override.

Still wondering about the threat model and the reason behind this restriction.

#firefox #cybersecurity

🔗 The origin of the bad port list https://fetch.spec.whatwg.org/#port-blocking

🔗 Firefox source code with the bad port list https://github.com/mozilla-firefox/firefox/blob/0d35bd1655f9868b796df7835c990efd9d2909a2/netwerk/base/nsIOService.cpp#L121

🔗 Someone else having the issue https://patrickwu.space/2025/05/13/this-address-is-restricted/

Fetch Standard

Nov 18 at 11:29amWeb
Show threadAlex SchroederNov 18
@adulau IRC makes me think botnets – so malware in the browser cannot reach a command server.
Show threadAlexandre DulaunoyNov 18
@alex @otmar Yep but any port can be used so I don't get the actual logic to keep that blocking list in Firefox nowadays.
Show threadOtmar LendlNov 18
@adulau IIRC, 6666 is (or used to be) IRC, and I guess that people ddos'ed IRC servers by putting in links to http://target:6666/ in popular webpages.
Show threadwrNov 18
@adulau ah yes I remember this one ... obscure and hidden, it's not visible in the default list of settings in about:config. You have to create it, regedit style ...
Show threadRobert EdmondsNov 18

@adulau Oh, I remember when these mitigations came out. I believe this is the original paper: https://web.archive.org/web/20030708082653/http://www.remote.org/jochen/sec/hfpa/hfpa.pdf

The general problem is text based protocols that could be spoofed well enough by the HTTP request generated by something like an HTML form submission that it could be confused for that protocol. So like sending spam to an SMTP server or sending abusive messages to an IRC channel or something.

Modern SMTP servers will have defenses against these kinds of attacks, for instance delaying the server's initial 220 banner and detecting clients that speak before the 220 is sent, or detecting SMTP clients that are sending a sequence of commands before waiting for the server's response, etc.

Wayback Machine

Show threadAlexandre DulaunoyNov 18
@edmonds Thanks a lot for digging in the archive.
Show threadOtmar LendlNov 19
@edmonds @adulau See also https://www.theregister.com/2010/01/30/firefox_interprotocol_attack/
Firefox-based attack wreaks havoc on IRC users

World's first inter-protocol exploit, but not the last

The Register