HIGH dangling dnsfeathersjsapi keys

Dangling Dns in Feathersjs with Api Keys

Scan for dangling dns in feathersjs

Dangling Dns in Feathersjs with Api Keys — how this specific combination creates or exposes the vulnerability

A dangling DNS record occurs when a hostname (e.g., internal.service.example.com) still points to an IP address, but the target service or workload has been decommissioned or moved. In FeathersJS, if an API key–based route or hook resolves such a hostname during request processing, the application may inadvertently forward data or authentication material to an uncontrolled endpoint.

FeathersJS applications often use hooks to enrich or validate requests, and it is common to see API keys validated or scoped via external services. When a hook or service implementation resolves a dangling hostname—perhaps to log audit data, forward events, or call an external authorization API—any response or data sent to that hostname may be intercepted by an attacker who has since claimed the abandoned infrastructure. Because the API key is trusted, the request may be accepted, leading to data exposure, authentication bypass, or integration with a malicious service.

Consider a FeathersJS service that calls an external introspection endpoint using an API key for authorization. If the DNS entry for that endpoint is dangling and resolves to an attacker-controlled server, the API key can be exfiltrated via DNS queries or HTTP callbacks. The vulnerability is not in key storage per se, but in the runtime resolution path that combines an untrusted network dependency with trusted credentials. This maps to common OWASP API Top 10 items such as Broken Object Level Authorization and Security Misconfiguration, and can be surfaced by the 12 security checks, including BOLA/IDOR and Unsafe Consumption, when the scanner detects outbound calls to unpredictable endpoints.

In practice, this risk emerges when developers reuse hostnames across environments (e.g., staging and production) without ensuring that decommissioned systems are fully removed from DNS and routing. The scanner’s outbound probes and inventory checks can identify unresolved or ambiguous DNS mappings that, when combined with API key usage, indicate a potential path for data exfiltration or server-side request forgery (SSRF).

Api Keys-Specific Remediation in Feathersjs — concrete code fixes

Remediation focuses on ensuring that any hostname resolved at runtime is explicitly defined, versioned, and validated before use. Avoid dynamic resolution of external endpoints that carry trusted API keys, and enforce strict allowlists for destinations.

Example 1: Safe external call with hardcoded, validated endpoint

const axios = require('axios');

module.exports = {
  before: {
    async externalCall(context) {
      const { apiKey } = context.params.headers;
      // Use a fixed, verified hostname instead of a dynamic value
      const url = 'https://api.verified-provider.com/v1/introspect';
      const response = await axios.get(url, {
        headers: { Authorization: `Bearer ${apiKey}` }
      });
      return response.data;
    }
  }
};

Example 2: Hook-level validation and destination allowlist

const dnsAllowlist = new Set(['api.verified-provider.com', 'auth.partner.example.com']);

module.exports = {
  before: {
    async validateDestination(context) {
      const { url, apiKey } = context.params.arguments;
      try {
        const hostname = new URL(url).hostname;
        if (!dnsAllowlist.has(hostname)) {
          throw new Error('Destination not allowed');
        }
        const response = await axios.get(url, {
          headers: { Authorization: `Bearer ${apiKey}` }
        });
        return response.data;
      } catch (error) {
        throw new Error('Invalid request');
      }
    }
  }
};

Example 3: FeathersJS service with scoped API key and static configuration

const { Forbidden } = require('@feathersjs/errors');

module.exports = function (app) {
  app.use('/external', {
    async find(params) {
      const { apiKey } = params.query;
      if (!apiKey || !apiKey.startsWith('ak_live_')) {
        throw new Forbidden('Invalid API key');
      }
      // Static, audited endpoint; no runtime DNS resolution
      const url = 'https://api.verified-provider.com/v1/data';
      const response = await app.callExternal(url, { headers: { Authorization: apiKey } });
      return { data: response };
    }
  });
};

Operational practices include: keep external hostnames in configuration with explicit versions, rotate API keys regularly, and monitor for unexpected outbound connections. The middleBrick CLI can be used to scan FeathersJS endpoints from the terminal (e.g., middlebrick scan <url>) to surface DNS-related findings and ensure that API key usage does not rely on mutable or ambiguous network destinations.

Scan for dangling dns in feathersjs Free API security scan

Frequently Asked Questions

How does middleBrick detect a dangling DNS risk in a FeathersJS API using API keys?
middleBrick performs outbound inventory and resolution checks during scanning. If a FeathersJS service or hook resolves a hostname that is unresolvable or points to an ambiguous IP, and API key usage is observed in those flows, the scan flags it as a potential dangling DNS risk with remediation guidance.
Can the GitHub Action prevent a build if a FeathersJS API introduces a dangling DNS dependency with API keys?
Yes. By integrating the GitHub Action and setting a risk score threshold, builds will fail if any new findings—such as unresolved hostnames combined with credential usage—are detected, helping to prevent deployment of configurations that could expose API keys via dangling DNS.

Related Pages

Dangling Dns with Api KeysLearn how dangling DNS records can leak API keys, how middleBrick detects the issue, and practical remediation steps usiDangling Dns in Feathersjs on DigitaloceanExplore dangling DNS risks in FeathersJS on Digitalocean, with remediation code examples and how middleBrick helps detecDangling Dns in Feathersjs on AwsExplore how dangling DNS records in FeathersJS on AWS create security risks, and apply AWS-specific fixes with code examDangling Dns in Feathersjs on AzureUnderstand and remediate dangling DNS in FeathersJS on Azure with concrete code and Azure resource examples.Dangling Dns in Feathersjs on CloudflareUnderstand dangling DNS in FeathersJS with Cloudflare, and apply concrete remediation steps with code examples for securPci Dss: Dangling Dns in FeathersjsmiddleBrick scans Feathersjs APIs for PCI DSS-relevant dangling DNS, providing prioritized findings and remediation guidSoc2: Dangling Dns in FeathersjsExplore how dangling DNS records intersect with Feathersjs services and SOC 2 controls, and apply concrete Feathersjs reIso 27001: Dangling Dns in FeathersjsExplore how dangling DNS records interact with FeathersJS under ISO 27001, and apply concrete code fixes to secure serviCis: Dangling Dns in FeathersjsUnderstanding CIS risks from dangling DNS in FeathersJS apps and concrete remediation patterns with validation and pinneDangling Dns in Feathersjs with FirestoreExplore how dangling DNS references in FeathersJS with Firestore can expose configuration risks, and apply concrete FireDangling Dns in Feathersjs with DynamodbUnderstand Dangling DNS risks in FeathersJS with DynamoDB, and apply concrete code fixes to enforce table isolation and Dangling Dns in Feathersjs with CockroachdbUnderstand DNS risks in Feathersjs with Cockroachdb and apply concrete remediation in connection handling.