←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 0.226s | source
Show context
lostjohnny ◴[28 May 19 09:15 UTC] No.20028455[source]
Nope, you can't

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)
Anyway

    TypeError: /(192\.168\.[0-9]+\.)[0-9]+/.exec(...) is null i-can-see-your-local-web-servers:169:41
replies(3): >>20028659 #>>20029606 #>>20029927 #
chronial ◴[28 May 19 10:04 UTC] No.20028659[source]
The Cross-Origin check be circumvented via DNS Rebinding: When you request mypage.com, my DNS returns the ip of my webserver. On all subsequent requests, it will return 127.0.0.1. Now localhost is on the same origin as my page.
replies(2): >>20028841 #>>20034436 #
lostjohnny ◴[28 May 19 10:50 UTC] No.20028841[source]
It doesn't matter, you should be in control of a DNS the user relies on and you should have your server send

    Access-Control-Allow-Origin: mypage.com
or

    Access-Control-Allow-Origin: *
which is not a default anywhere AFAIK and is domain based, not IP based

And your server should be enabled to respond to mypage.com host header

replies(2): >>20028880 #>>20029000 #
chronial ◴[28 May 19 11:23 UTC] No.20029000[source]
Based on m12k's suggested interpretation of your comment:

> you should be in control of a DNS the user relies on

You always are when a users visits your domain – you control the DNS of your domain.

> Access-Control-Allow-Origin: *

You don't need access-control headers, because you stay on the same domain.

> Your server should be enabled to respond to mypage.com host header

Most servers listening on localhost ignore the host header.

replies(2): >>20030144 #>>20030380 #
1. tgragnato ◴[28 May 19 14:10 UTC] No.20030144[source]
The short TTL is very sketchy and most NIDS(s) have contextual rules to detect DNS rebinding attacks. One may additionally filter private ranges from responses and HTTP requests by host headers. Not to mention TLS.

It's useful against vulnerable IoT devices or home routers, but is it still effective to breach enterprise perimeters?