I can see your local web servers

How many web servers are running on your machine right now? Do all of those development web servers have a secure login, and restrictive CORS permissions? You don’t know? Allow me to check for you:

If you see any results like localhost:3000 is available!, you should secure whatever you have running on that port, because all websites you visit have access to it - including the page you’re reading! It is not sufficient security to only bind to 127.0.0.1 (the “loopback interface”), because there are untrusted programs running on your machine right now that have access to the loopback interface. Those untrusted programs are web pages!

The mistake is easily made. Here’s an example vulnerable app, using Express, a popular web framework:

const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors());
app.get('/', (req, res) => 
  res.send('My personal admin site'));
app.listen(3000);

To make things worse, many servers bind to 0.0.0.0, meaning the server is available from anywhere that can reach the machine. For example, Express does this by default! If you’re at work right now, you might have dozens of other employees on your local network. We can scan for all of their exposed servers, too:

If you see any results like 192.168.0.4:3000 is available!, you should tell your colleague to secure whatever she has running on that port, because it is accessible by all websites visited by all your colleagues! It is not sufficient security to hide behind a NAT (e.g. your WiFi router), because there are untrusted programs running on your network right now that have access to every machine - again, those untrusted programs are web pages!

Get updates on Twitter

More by Jim

Tagged #programming, #security. All content copyright James Fisher 2019. This post is not associated with my employer. Found an error? Edit this page.

Jim Fisher
Speaking
Blogroll
Vidrio
RSS