←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 3 comments | 28 May 19 07:57 UTC | HN request time: 0.625s | source
Show context
bill_joy_fanboy ◴[28 May 19 13:08 UTC] No.20029593[source]
I'm interested in this because I don't fully understand the consequences here. I'd like to gain a deeper understanding through some concrete examples.

With the PHP CLI, I can run:

    php -S localhost:8000
With Python3, I can run:

    python -m http.server 8000 --bind localhost
The demo fails for me in both cases, even though a request to localhost:8000 is sent. (EDIT: The server log in the terminal window does show that the request arrived at the local server).

My question is: What is the risk of running one of these servers and then visiting some random web page?

replies(2): >>20029995 #>>20031108 #
maratd ◴[28 May 19 13:55 UTC] No.20029995[source]
> My question is: What is the risk of running one of these servers and then visiting some random web page?

It depends on what you're exposing on those ports. If it's something sensitive, stop. Any web page can run javascript and as such, any web page has access to every port and service that your machine has access to ... because at that point, the web page is a program running on your machine with full network access.

However, this entire "vulnerability" makes no sense to me. Even if I'm running something on my machine or local network, I am not going to rely on the firewall as a security mechanism. That is profoundly stupid and is well known to be profoundly stupid. So all those servers, including the ones I am creating and running, will have their own security mechanisms. So you can ping my server? So what?

replies(1): >>20030265 #
1. echeese ◴[28 May 19 14:20 UTC] No.20030265[source]
If it's got CORS enabled you can do a hell of a lot more than ping your server.
replies(1): >>20030696 #
2. maratd ◴[28 May 19 14:52 UTC] No.20030696[source]
Wait, what? I think you means the opposite. If it's got CORS enabled, then you can't do anything unless the request is originating from the relevant domain.

Anyway, do not rely on firewalls (and CORS is a firewall) as the sole security measure. Do not create unauthenticated endpoints unless you want everybody to use them.

replies(1): >>20031725 #
3. echeese ◴[28 May 19 16:33 UTC] No.20031725[source]
To elaborate, I meant a permissive CORS policy, which is what I see most often.