Dns Cache Poisoning in Express with Hmac Signatures
Dns Cache Poisoning in Express with Hmac Signatures — how this specific combination creates or exposes the vulnerability
DNS cache poisoning and HMAC signatures are typically independent concerns, but their combination in an Express application can create or expose subtle security gaps. DNS cache poisoning corrupts name resolution so that a hostname resolves to an attacker-controlled IP. When an Express app uses HMAC signatures to validate the source of requests or configuration (e.g., validating webhook signatures or tokens), it may rely on hostnames or URLs that are resolved via DNS. If DNS is poisoned, the app might mistakenly believe it is communicating with a trusted endpoint and trust an HMAC it should not, or it might leak hostnames or internal routing details that aid further compromise.
Consider an Express service that validates incoming HMAC-signed requests by checking a shared secret. The verification logic itself is sound, but if the service logs or exposes the resolved IP of a caller-supplied host header, an attacker with DNS cache poisoning can learn internal hostnames or observe discrepancies between expected and resolved endpoints. More critically, if the app uses hostnames to build canonical URLs for signature generation (e.g., forming a URL like https://api.example.com/webhook and signing the path), and DNS resolution for api.example.com is poisoned to point to a malicious server, any HMAC verification that depends on a trusted hostname becomes unreliable because the underlying network path is compromised. This does not break HMAC cryptography directly, but it undermines the trust assumptions: the client may be sending data to a malicious server, and the server may be inadvertently trusting data that appears signed because the resolver was manipulated.
In practice, this combination surfaces risks around integrity of the resolution path and information leakage. An Express app that uses subresource integrity or dynamically fetches public keys based on hostnames can be tricked into using attacker-controlled keys if DNS is poisoned. HMAC signatures protect message integrity but do not protect against a corrupted resolution layer. Additionally, improper handling of host headers in Express (e.g., trusting req.hostname for signature context without validation) can amplify the impact by allowing host header poisoning to align with poisoned DNS, making the poisoned path appear legitimate. The vulnerability is not in the HMAC algorithm but in how the application binds trust to network identities that can be manipulated through DNS cache poisoning.
Real-world patterns to consider include SSRF-like behaviors when internal hostnames are resolved externally, and the potential for attackers to infer internal network topology via timing or error differences when DNS resolution fails or diverges. While this does not directly inject into the cryptographic verification, it can lead to bypassing intended trust boundaries. For example, an endpoint that forms a URL from user input, resolves it, and then decides whether to trust an HMAC may be led to a malicious resolver, causing it to trust an illegitimate source. This is especially relevant when integrating third-party services where DNS control or poisoning is feasible.
Hmac Signatures-Specific Remediation in Express — concrete code fixes
Remediation centers on ensuring that hostnames used in signature contexts are validated independently of DNS, avoiding reliance on potentially poisoned resolution, and hardening Express configuration to minimize leakage or misuse. Below are concrete patterns and code examples for Express.
1. Validate and pin hostnames, avoid dynamic resolution for trust decisions
Do not derive trust solely from resolved IPs or dynamic hostnames. Pin expected hostnames and compare them explicitly before using them in signature or URL construction.
const expectedHostname = 'api.example.com';
app.use((req, res, next) => {
const actual = req.hostname;
if (actual !== expectedHostname) {
return res.status(400).send('Invalid host header');
}
next();
});
2. Use strict host header parsing and disable trust of proxy-provided hostname when not needed
Configure Express with trust proxy set appropriately and avoid using req.hostname for security decisions unless you control DNS and proxy behavior.
const express = require('express');
const app = express();
// Be explicit about proxy settings; do not trust arbitrary host headers.
app.set('trust proxy', 1); // trust only the first proxy if behind one
app.use((req, res, next) => {
// Prefer a whitelisted set or exact match instead of dynamic resolution.
const allowedHost = 'api.example.com';
if (req.get('host') !== allowedHost) {
return res.status(400).send('Invalid host');
}
next();
});
3. Sign and verify using canonical identifiers independent of DNS
When generating or verifying HMACs, use stable identifiers (e.g., a service ID or fixed endpoint path) rather than runtime-resolved hostnames. If you must include a hostname, pin it and validate it before inclusion.
const crypto = require('crypto');
const secret = Buffer.from(process.env.HMAC_SECRET, 'hex');
const PinnedServiceHost = 'service.example.com';
function buildSignedPayload(userId, timestamp) {
const data = {
sub: userId,
iat: timestamp,
host: PinnedServiceHost, // pinned, not dynamically resolved
};
const payload = Buffer.from(JSON.stringify(data)).toString('base64');
const hmac = crypto.createHmac('sha256', secret).update(payload).digest('hex');
return { payload, hmac };
}
function verifySignedPayload(payload, receivedHmac) {
const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
// Use timing-safe compare
return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(receivedHmac));
}
4. Avoid using dynamically resolved hostnames in security-sensitive contexts
If you integrate with external services, resolve and pin the IP or hostname at startup or via secure configuration, and do not allow runtime DNS to influence which HMAC keys or endpoints are used.
const https = require('https');
const pinnedIp = '192.0.2.10'; // resolved out-of-band
function callSignedWebhook(data) {
const payload = JSON.stringify(data);
const hmac = crypto.createHmac('sha256', secret).update(payload).digest('hex');
const options = {
hostname: pinnedIp, // use pinned address or a verified hostname
port: 443,
path: '/webhook',
method: 'POST',
headers: {
'X-Signature': hmac,
'Content-Type': 'application/json',
},
};
const req = https.request(options, (res) => {
// handle response
});
req.end(payload);
}
5. Harden logging and error handling to prevent leakage
Do not log host headers or resolved IPs that could aid an attacker in understanding routing. Ensure errors do not reveal hostname resolution details that could be leveraged alongside DNS poisoning.
app.use((err, req, res, next) => {
// Avoid logging req.hostname or resolved details in production
console.error('Request processing error:', err.message);
res.status(500).send('Internal error');
});
These practices reduce the risk that DNS cache poisoning can undermine HMAC-based trust in Express by decoupling trust from mutable network-layer identities and enforcing strict, verifiable constraints on how hostnames and signatures are used.