←back to thread

I can see your local web servers

(http.jameshfisher.com)
652 points jamesfisher | 1 comments | 28 May 19 07:57 UTC | HN request time: 0.333s | source
Show context
bill_joy_fanboy ◴[28 May 19 13:08 UTC] No.20029593[source]
I'm interested in this because I don't fully understand the consequences here. I'd like to gain a deeper understanding through some concrete examples.

With the PHP CLI, I can run:

    php -S localhost:8000
With Python3, I can run:

    python -m http.server 8000 --bind localhost
The demo fails for me in both cases, even though a request to localhost:8000 is sent. (EDIT: The server log in the terminal window does show that the request arrived at the local server).

My question is: What is the risk of running one of these servers and then visiting some random web page?

replies(2): >>20029995 #>>20031108 #
1. penagwin ◴[28 May 19 15:28 UTC] No.20031108[source]
Worst case they proxy all of the requests and can essentially access anything open on the port. For me it's all development stuff, so if they want access to a broken-half-the-time application with mock data then whatever.

However they'd have to know the routes to request to (or proxy all requests and do it in realtime) which isn't very likely if it's just some development application specific to you.

Basically there really isn't much risk if you aren't exposing anything interesting. Maybe if you're working on something proprietary it could be leaked?

Either way you may as well reconfigure your applications if the webpage can detect them, the risk is low but still existent.