I can see your local web servers
How many web servers are running on your machine right now? Do all of those development web servers have a secure login, and restrictive CORS permissions? You don’t know? Allow me to check for you:
If you see any results like localhost:3000 is available!,
you should secure whatever you have running on that port,
because all websites you visit have access to it -
including the page you’re reading!
It is not sufficient security to only bind to 127.0.0.1
(the “loopback interface”),
because there are untrusted programs running on your machine right now
that have access to the loopback interface.
Those untrusted programs are web pages!
The mistake is easily made. Here’s an example vulnerable app, using Express, a popular web framework:
const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors());
app.get('/', (req, res) =>
res.send('My personal admin site'));
app.listen(3000);
To make things worse,
many servers bind to 0.0.0.0
,
meaning the server is available from anywhere that can reach the machine.
For example, Express does this by default!
If you’re at work right now,
you might have dozens of other employees on your local network.
We can scan for all of their exposed servers, too:
If you see any results like 192.168.0.4:3000 is available!, you should tell your colleague to secure whatever she has running on that port, because it is accessible by all websites visited by all your colleagues! It is not sufficient security to hide behind a NAT (e.g. your WiFi router), because there are untrusted programs running on your network right now that have access to every machine - again, those untrusted programs are web pages!
More by Jim
- The inception bar: a new phishing method
- The hacker hype cycle
- Project C-43: the lost origins of asymmetric crypto
- How Hacker News stays interesting
- My parents are Flat-Earthers
- The dots do matter: how to scam a Gmail user
- The sorry state of OpenSSL usability
- I hate telephones
- The Three Ts of Time, Thought and Typing: measuring cost on the web
- Granddad died today
- Your syntax highlighter is wrong
Tagged #programming, #security. All content copyright James Fisher 2019. This post is not associated with my employer. Found an error? Edit this page.