Conversation
Notices
-
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Aug-2023 04:16:19 JST 
Alex Gleason
@eriner question, how TF do I prevent SSRF without setting up an outbound proxy server? Doing DNS lookup I assume will destroy performance, and caching the lookup makes it vulnerable to timing attacks. The internet is broken -
Embed this notice
Matt Hamilton [Maryland] (eriner@noagendasocial.com)'s status on Wednesday, 16-Aug-2023 04:23:27 JST ![Matt Hamilton [Maryland]](https://gnusocial.jp/avatar/2324-48-20230922010214.webp)
Matt Hamilton [Maryland]
@alex like you mentioned, resolving DNS and inspecting the records is the only full-proof way. You’d want to disable the aws/gcp metadata endpoints, 127.0.0.1/localhost, and maybe even all RFC1918 addresses.
The cheating way is to not do any of that and allow arbitrary GETs, BUT fix the issue elsewhere. Disable metadata api (and put a check at program startup), don’t run unauthenticated local services, make the result blind (so the ssrf can’t be used as an intranet port scanner)
Alex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Aug-2023 04:27:35 JST
Alex Gleason
@eriner Seems like I would have to separately look up A, AAAA, and CNAME. I don't know the route my application will actually take once I call `fetch`. Plus CNAME is a whole other can of worms. Am I doing this wrong? -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Aug-2023 04:49:42 JST
Alex Gleason
@eriner @niggy What exactly would I be checking for? Port scanning the network? -
Embed this notice
Matt Hamilton [Maryland] (eriner@noagendasocial.com)'s status on Wednesday, 16-Aug-2023 04:49:43 JST
Matt Hamilton [Maryland]
@niggy @alex this is correct (and what I would recommend to a client/org) but this is a hard sell for FOSS projects where you don’t control the OS or network layer. Best OSS projects can do is include a bunch of init runtime checks for the vulns and warn that external (to the software) config changes need to be made for security.
Then you get 9,999 GitHub tickets asking “how do I enable DNS rebind protection for <insert random tech stack here>
-
Embed this notice
:niggy: (niggy@poa.st)'s status on Wednesday, 16-Aug-2023 04:49:44 JST 
:niggy:
@alex @eriner easy way is on the system use dns server with rebinding protection (most do) and just disable ipv6. that just leaves simple input validation for ipv4 rfc1918/link-local, could just block ipv4 urls completely -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Aug-2023 04:52:05 JST
Alex Gleason
@niggy @eriner >rebinding protection
TIL. So in that case it seems like the input validation I have here actually would work after all: https://gitlab.com/soapbox-pub/deno-safe-fetch/-/blob/develop/mod.ts
It seems insane that any DNS server wouldn't have "rebind protection." Is this for the DNS server on the OS itself? Hopefully major distros ship with this. -
Embed this notice
:niggy: (niggy@poa.st)'s status on Wednesday, 16-Aug-2023 04:53:13 JST
:niggy:
@eriner @alex no real way to protect against dns rebinding in a standard web app codebase unfortunately, it's a system-level issue. would have to handle dns resolution in the app itself which is impractical Alex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Aug-2023 04:55:40 JST
Alex Gleason
@niggy @eriner WHY -
Embed this notice
Matt Hamilton [Maryland] (eriner@noagendasocial.com)'s status on Wednesday, 16-Aug-2023 04:56:15 JST
Matt Hamilton [Maryland]
@alex @niggy check if you can GET aws+gcp metadata api by IP, check if you can do the same with A/AAA records and CNAMEs (using records from a domain you control). Same for 127.0.0.1 using whatever port the software’s server listens on, but you may just have to accept the risk for that one because idk how you fix that without resolving and testing every FQDN resolution result anyway.
My suggestion is to use content-type whitelist strategy I mentioned.
Alex Gleason likes this. -
Embed this notice
Matt Hamilton [Maryland] (eriner@noagendasocial.com)'s status on Wednesday, 16-Aug-2023 05:09:45 JST
Matt Hamilton [Maryland]
Alex Gleason likes this. -
Embed this notice
:niggy: (niggy@poa.st)'s status on Wednesday, 16-Aug-2023 05:10:12 JST
:niggy:
@alex @eriner yeah unfortunately no default protection at the os level, and even big public dns providers (eg google, cloudflare) don't, think just because there's some niche legitimate use cases for it
when I said dns server I meant more a custom deployed one, eg the dns service in any standard router software will have an option for it, often default enabled
on the server system itself could just set up eg a local unbound service, that would protected against itAlex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Aug-2023 05:15:06 JST
Alex Gleason
@niggy @eriner Now it's telling me this, which makes me think there was never any problem. -
Embed this notice
Matt Hamilton [Maryland] (eriner@noagendasocial.com)'s status on Wednesday, 16-Aug-2023 05:29:22 JST
Matt Hamilton [Maryland]
@alex @niggy this might be true for localhost but probably won’t save you from SSRF to other RFC1918 addresses + aws metadata ip.
Alex Gleason likes this. -
Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Aug-2023 05:43:46 JST
Alex Gleason
@niggy @eriner nvm 😭
-
Embed this notice
All GNU social JP content and data are available under the