HIGH dangling dnsexpressdynamodb

Dangling Dns in Express with Dynamodb

Scan for dangling dns in express

Dangling Dns in Express with Dynamodb — how this specific combination creates or exposes the vulnerability

A dangling DNS configuration in an Express application that uses Amazon DynamoDB can expose both application logic and infrastructure risks. In this setup, client-supplied values—such as table names, partition key values, or conditional expression attribute names—are used to construct DynamoDB API calls. If these values are not strictly validated and sanitized, an attacker can supply a hostname or CNAME that resolves to an unintended internal or external endpoint, effectively creating a dangling DNS reference that bypasses intended routing and access controls.

Consider an Express route that accepts a tableSuffix to build DynamoDB table names for a multi-tenant design:

// Risky: table name derived from user input
app.get('/records/:tableSuffix/:id', async (req, res) => {
  const { tableSuffix, id } = req.params;
  const docClient = new AWS.DynamoDB.DocumentClient();
  const params = {
    TableName: `app-data-${tableSuffix}`,
    Key: { id }
  };
  const data = await docClient.get(params).promise();
  res.json(data.Item);
});

If an attacker provides a tableSuffix that resolves via DNS to a service they control (for example, by registering a domain that resolves to a CNAME pointing into an internal AWS endpoint or an external host), the application may follow an unintended resolution path. This can lead to data being sent to or fetched from an unauthorized endpoint, effectively creating a dangling DNS vector that bypasses intended table boundaries. The same risk applies when using input to construct conditional expression attribute names in UpdateItem or BatchGetItem requests.

DynamoDB itself does not perform DNS resolution, so the vulnerability lies in how the Express layer interprets and uses user input to form resource identifiers and endpoint references. Without strict allowlists and canonicalization, the application can be tricked into directing requests to unexpected targets. This becomes especially problematic when combined with overly permissive IAM roles attached to the DynamoDB client, as unintended writes or reads may follow the dangling reference.

To detect this pattern, middleBrick scans for user-controlled inputs that influence DynamoDB table names, key schema fields, and expression attribute names, then evaluates whether the constructed resource identifiers could resolve outside the intended scope. The LLM/AI Security checks specifically probe for prompt injection and data exfiltration paths that could be chained through misconfigured endpoints, while the BFLA/Privilege Escalation and Property Authorization checks validate whether access controls properly restrict tenant boundaries.

Dynamodb-Specific Remediation in Express — concrete code fixes

Remediation centers on strict input validation, canonicalization, and avoiding dynamic table or key construction from untrusted data. Use allowlists for table suffixes, enforce strict type checks, and parameterize queries instead of concatenating strings. Below are concrete, safe patterns for Express with DynamoDB.

1. Use an allowlist for tenant identifiers

Map known, valid suffixes to canonical table names. Do not trust client input to construct table names directly.

const ALLOWED_TENANTS = {
  tenantA: 'app-data-tenantA',
  tenantB: 'app-data-tenantB'
};

app.get('/records/:tenant/:id', async (req, res) => {
  const { tenant, id } = req.params;
  const tableName = ALLOWED_TENANTS[tenant];
  if (!tableName) {
    return res.status(400).json({ error: 'invalid tenant' });
  }
  const docClient = new AWS.DynamoDB.DocumentClient();
  const params = {
    TableName: tableName,
    Key: { id }
  };
  const data = await docClient.get(params).promise();
  res.json(data.Item || {});
});

2. Validate and canonicalize key values

Ensure partition and sort keys conform to expected patterns (e.g., UUIDs, numeric IDs) before using them in DynamoDB requests.

app.get('/records/:table/:id', async (req, res) => {
  const { table, id } = req.params;
  // strict pattern for an ID: 36-character UUID
  if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(id)) {
    return res.status(400).json({ error: 'invalid id format' });
  }
  const allowedTables = new Set(['app-data-prod', 'app-data-staging']);
  if (!allowedTables.has(table)) {
    return res.status(400).json({ error: 'invalid table' });
  }
  const docClient = new AWS.DynamoDB.DocumentClient();
  const params = {
    TableName: table,
    Key: { id }
  };
  const data = await docClient.get(params).promise();
  res.json(data.Item || {});
});

3. Avoid dynamic expression attribute names from user input

Do not allow clients to supply attribute names used in UpdateItem ExpressionAttributeNames. Use a controlled mapping instead.

app.patch('/records/:table/:id', async (req, res) => {
  const { table, id } = req.params;
  const { updates } = req.body; // { status: 'active' }
  const allowedTables = new Set(['app-data-prod', 'app-data-staging']);
  if (!allowedTables.has(table)) {
    return res.status(400).json({ error: 'invalid table' });
  }
  // Map safe logical names to attribute names
  const attributeNames = {
    '#status': 'status',
    '#updatedAt': 'updatedAt'
  };
  const updateExpressions = [];
  const expressionAttrNames = {};
  const expressionAttrValues = {};

  for (const [key, value] of Object.entries(updates)) {
    if (!['status', 'updatedAt'].includes(key)) {
      continue; // skip unsupported fields
    }
    const nameToken = `#${key}`;
    updateExpressions.push(`${nameToken} = :${key}`);
    expressionAttrNames[nameToken] = key;
    expressionAttrValues[`:${key}`] = value;
  }

  if (updateExpressions.length === 0) {
    return res.status(400).json({ error: 'no valid updates' });
  }

  const docClient = new AWS.DynamoDB.DocumentClient();
  const params = {
    TableName: table,
    Key: { id },
    UpdateExpression: 'SET ' + updateExpressions.join(', '),
    ExpressionAttributeNames: expressionAttrNames,
    ExpressionAttributeValues: expressionAttrValues,
    ReturnValues: 'UPDATED_NEW'
  };
  const data = await docClient.update(params).promise();
  res.json(data.Attributes);
});

4. Enforce least privilege for the DynamoDB client

Ensure the IAM role associated with the application grants only the permissions required for the intended operations on the specific tables. Avoid wildcard actions and resource ARNs that allow cross-tenant access.

5. Use middleBrick to validate your configuration

Run middleBrick scans against your Express endpoints to surface dangling DNS risks, improper authorization, and input validation issues. The CLI provides quick feedback:

middlebrick scan https://api.example.com/records/tenantA/123e4567-e89b-12d3-a456-426614174000

With the Pro plan, you can enable continuous monitoring and CI/CD integration to catch regressions before deployment. The MCP Server allows you to run scans directly from your IDE while developing these patterns.

Scan for dangling dns in express Free API security scan

Frequently Asked Questions

Can middleBrick fix dangling DNS issues in my Express app?
middleBrick detects and reports dangling DNS and related configuration risks, providing remediation guidance. It does not automatically fix or modify your application code.
Which plan should I use to continuously monitor Express endpoints that use DynamoDB?
The Pro plan supports continuous monitoring for multiple APIs, CI/CD pipeline gates, and Slack/Teams alerts, helping you detect regressions early when using DynamoDB with Express.

Related Pages

Dangling Dns in ExpressDangling DNS creates security risks for Express apps when DNS records point to decommissioned infrastructure. Learn deteDangling Dns in DynamodbDetect Dangling DNS in DynamoDB APIs. Learn attack patterns, scanning with middleBrick, and remediation using AWS VPC enDangling Dns in Express on AzureDetect and fix dangling DNS in Express on Azure with validation patterns, Azure CLI, and CI/CD integration.Dangling Dns in Express on AwsUnderstand and remediate dangling DNS in Express on AWS with concrete code examples and middleBrick scanning guidance.Pci Dss: Dangling Dns in ExpressExplore how dangling DNS records in Express services intersect with PCI DSS controls, and apply concrete Express code fiSoc2: Dangling Dns in ExpressExplore how dangling DNS records combined with Express routing can create data exposure risks, and apply concrete ExpresIso 27001: Dangling Dns in ExpressExplore ISO 27001 controls for dangling DNS in Express apps, with remediation code and secure patterns to prevent SSRF aCis: Dangling Dns in ExpressUnderstand CIS risks from dangling DNS in Express APIs and apply concrete Express code fixes to validate hostnames and pDangling Dns in Express with Bearer TokensmiddleBrick scans API endpoints for security risks. Learn how dangling DNS with Express and Bearer Tokens can expose rouDangling Dns in Express with Basic AuthDangling DNS in Express with Basic Auth: risks and remediation patterns with code examples and host validation.Dangling Dns in Express with Hmac SignaturesDangling DNS with HMAC signatures in Express: risk explanation and remediation code examples.Dangling Dns in Express with Api KeysLearn how dangling DNS combined with API keys can expose Express services and apply concrete code fixes to secure outbou