quick-lint / quick-lint-js

quick-lint-js finds bugs in JavaScript programs
https://quick-lint-js.com
GNU General Public License v3.0
1.55k stars 192 forks source link

debug server is vulnerable to DNS rebinding attacks #951

Open strager opened 1 year ago

strager commented 1 year ago

Solution: Validate the Host header in requests.

sixcorners commented 1 year ago

Here is a write up about it wrt tailscale: https://emily.id.au/tailscale Here is a bit about how PNA CORS prevents it but firefox doesn't check that. https://emily.id.au/tailscale#dns-rebinding-is-dead Here is a hacker news post about that article: https://news.ycombinator.com/item?id=33695886 Here is how CUPS validates it: https://github.com/apple/cups/blob/d03753f33432c790d7ed6c2487080e09bf884254/scheduler/client.c#L3586 It checks to see if the header is case insensitively set to "localhost", "localhost.", 127.0.0.1, or [::1]. When I try to access my CUPS over 127.0.0.2 for instance it refuses the connection. http://127.0.0.2:631/

strager commented 1 year ago

@sixcorners Thanks for the help, especially bring up the issue and also the CUPS solution.

sixcorners commented 1 year ago

Correction: It's probably refusing the connection because it's bound to 127.0.0.1.. heh. curl -vH"Host: lol" http://127.0.0.1:631/ This responds with a 400 bad request page.

strager commented 1 year ago

Idea: Generate a secret key and pass it as a fragment in the URL (e.g. http://localhost:6969/#a90u834bb). WebSocket (private data) would be blocked by the server without this key.

The only thing that could be exposed with this approach is the fact that quick-lint-js is running and maybe its version number.

The hard part is showing the user the key.

strager commented 1 year ago

https://cathyjf.com/articles/local-servers-can-get-you-compromised

sixcorners commented 1 year ago

seems like a good idea to me. would a malicious website be able to keep guessing keys?

strager commented 1 year ago

would a malicious website be able to keep guessing keys?

I'd need to build spam protection (e.g. request limits) to prevent this attack.