Christine Lemmer-Webber

Christine Lemmer-Webber at

Thinking about adding a localhost-only HTTP API or line-based protocol to your project? Probably not a good idea, because you can use DNS rebinding to get at/mutate that data, or whatever execution stuff is possible, through the developer's own browser.

James Dearing 🐲 likes this.

Iñaki Arenaza, Iñaki Arenaza shared this.

Show all 6 replies

(I'll bet that TAILS uses Diane's unbound suggestion to solve this, right? But unless the tor browser bundle includes its own dns resolver, I think it probably doesn't.)

joeyh at 2016-09-01T21:17:49Z

It feels to me like using named pipes in the cases where you might use an unauthenticated port over localhost would be pretty frequently much, much better.

Christine Lemmer-Webber at 2016-09-01T21:38:21Z

https://tails.boum.org/contribute/design/Tor_enforcement/DNS/

Looks like they run a local resolver, and they do block some of the private IPs. Its unclear if it blocks 127.0.0.0/8 though.

Diane Trout at 2016-09-01T21:42:34Z

I soooooooo agree! And the current “do everything in the browser” thing need to go out the window too.

Freemor at 2016-09-02T00:32:41Z