←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 5 comments | 28 May 19 07:57 UTC | HN request time: 0s | source
Show context
lostjohnny ◴[28 May 19 09:15 UTC] No.20028455[source]
Nope, you can't

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)
Anyway

    TypeError: /(192\.168\.[0-9]+\.)[0-9]+/.exec(...) is null i-can-see-your-local-web-servers:169:41
replies(3): >>20028659 #>>20029606 #>>20029927 #
chronial ◴[28 May 19 10:04 UTC] No.20028659[source]
The Cross-Origin check be circumvented via DNS Rebinding: When you request mypage.com, my DNS returns the ip of my webserver. On all subsequent requests, it will return 127.0.0.1. Now localhost is on the same origin as my page.
replies(2): >>20028841 #>>20034436 #
lostjohnny ◴[28 May 19 10:50 UTC] No.20028841[source]
It doesn't matter, you should be in control of a DNS the user relies on and you should have your server send

    Access-Control-Allow-Origin: mypage.com
or

    Access-Control-Allow-Origin: *
which is not a default anywhere AFAIK and is domain based, not IP based

And your server should be enabled to respond to mypage.com host header

replies(2): >>20028880 #>>20029000 #
chronial ◴[28 May 19 11:23 UTC] No.20029000[source]
Based on m12k's suggested interpretation of your comment:

> you should be in control of a DNS the user relies on

You always are when a users visits your domain – you control the DNS of your domain.

> Access-Control-Allow-Origin: *

You don't need access-control headers, because you stay on the same domain.

> Your server should be enabled to respond to mypage.com host header

Most servers listening on localhost ignore the host header.

replies(2): >>20030144 #>>20030380 #
lostjohnny ◴[28 May 19 14:27 UTC] No.20030380{3}[source]
> You always are when a users visits your domain – you control the DNS of your domain.

I meant you need to control the poisoned DNS

If I use 8.8.8.8 as DNS you can only work on the domains you already control, which is kinda useless

> You don't need access-control headers, because you stay on the same domain.

No, you don't

My localhost server only respond to localhost and 127.0.0.1 host header

Not to mypage.com

Nginx does taht too by default

https://github.com/nginx/nginx/blob/master/conf/nginx.conf#L...

But even if you did, you still haven't resolved the issue: you can't make a call to a different domain without access-control headers, unless it's the same domain

you can't load mypage.com and then fetch from www.mypage.com, even if you resolve www.mypage.com to 127.0.0.1 the browser won't let you do it

replies(1): >>20030550 #
1. tgragnato ◴[28 May 19 14:40 UTC] No.20030550{4}[source]
> But even if you did, you still haven't resolved the issue: you can't make a call to a different domain without access-control headers, unless it's the same domain

> you can't load mypage.com and then fetch from www.mypage.com, even if you resolve www.mypage.com to 127.0.0.1 the browser won't let you do it

In this part you’re confusing what a rebinding attack is: by serving a DNS response with a short TTL an attacker is able to associate two different IPs to the same query, thus it'd be mypage.com and mypage.com (not www.mypage.com).. bypassing the same origin restrictions of the browsers.

https://capec.mitre.org/data/definitions/275.html

replies(1): >>20030844 #
2. lostjohnny ◴[28 May 19 15:06 UTC] No.20030844[source]
> In this part you’re confusing what a rebinding attack is: by serving a DNS response with a short TTL an attacker is able to associate two different IPs

But it doesn't really work.

I query my DNS, on my home router, not your DNS.

And the DNS on my home router query the ISP's DNS, which caches requests.

I bet you can't go below few minutes resolution.

I had this problem when validating the Letsencrypt DNS challenge, I had to let certbot run for almost 20 minutes before my home router picked up the new value.

When I'm at work, I use the company's DNS, which ignores non standard TTLs and caches the first answer forever (well... almost) and disallow external domains that resolve to reserved IP addresses.

replies(2): >>20030923 #>>20036644 #
3. tgragnato ◴[28 May 19 15:12 UTC] No.20030923[source]
Depends on the resolver configuration. E.g.: unbound has cache-min-ttl, a way to increase cache efficiency (and a mitigation for attacks such as rebinding).

> Time to live minimum for RRsets and messages in the cache. Default is 0. If the the minimum kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. Zero makes sure the data in the cache is as the domain owner intended, higher values, especially more than an hour or so, can lead to trouble as the data in the cache does not match up with the actual data any more.

Which is one of the reasons I think this is manly effective against home networks.

4. OvermindDL1 ◴[29 May 19 03:36 UTC] No.20036644[source]
Wait, doesn't the certbot DNS challenge query the nameservers of the domain being checked, not your local DNS resolver, otherwise my fast DNS challenges should fail?
replies(1): >>20037689 #
5. lostjohnny ◴[29 May 19 07:50 UTC] No.20037689{3}[source]
Not by default [1], but you can set it to what you prefer.

But in my case my network is configured to always reach the in house DNS first, to keep latency low

[1] https://github.com/letsencrypt/boulder/blob/8167abd5e3c7a142...