HIGH dns cache poisoningfiberbasic auth

Dns Cache Poisoning in Fiber with Basic Auth

Scan for dns cache poisoning in fiber

Dns Cache Poisoning in Fiber with Basic Auth — how this specific combination creates or exposes the vulnerability

Dns Cache Poisoning exploits weaknesses in DNS resolution to redirect traffic to malicious IPs. When an API built with Fiber uses HTTP Basic Authentication but relies on the underlying platform’s DNS lookups without additional safeguards, poisoned DNS responses can route authentication requests to an attacker-controlled host.

Consider a Fiber service that calls an upstream dependency (e.g., a user service or an identity provider) using a hostname. If the DNS cache is poisoned, the hostname resolves to an IP under attacker control. Because the request includes Basic Auth credentials in headers (e.g., Authorization: Basic base64(username:password)), the attacker can capture or manipulate those credentials. This risk is elevated when requests are made server-side from within Fiber handlers, where developers may assume DNS resolution is trustworthy. The scanner’s checks for SSRF and DNS-related weaknesses highlight this interaction, noting that unauthenticated or poorly constrained network calls can expose credentials even when Basic Auth is present.

middleBrick’s scans detect scenarios where DNS resolution is not constrained (e.g., missing custom resolvers or DNS-over-HTTPS) and where authentication headers traverse potentially compromised network paths. Findings include insecure dependency on DNS behavior and exposure of credentials via interception or redirection, mapped to OWASP API Top 10:2023 A3:2023 Injection (interpreted broadly to include resolution-layer confusion) and A7:2023 Identification and Authentication Failures. Remediation guidance emphasizes verifying endpoint IPs, avoiding reliance on default resolvers, and applying additional authorization checks beyond transport-level credentials.

Basic Auth-Specific Remediation in Fiber — concrete code fixes

To reduce DNS Cache Poisoning risks when using Basic Auth in Fiber, combine runtime DNS hardening with secure credential handling. Avoid passing sensitive headers to untrusted or dynamically resolved endpoints. Below are concrete Fiber examples demonstrating safer patterns.

Example 1: Explicit HTTP client with custom DNS resolver and secure headers

Use a dedicated HTTP client that allows custom DNS configuration and enforce strict transport settings. This reduces reliance on the system resolver and helps prevent redirection to malicious IPs.

const fiber = require('express');
const { Client } = require('undici'); // or native http module with custom resolver

const app = fiber();

// Configure a client with custom DNS resolution options if available
const upstream = new Client('https://api.example.com', {
  connect: {
    rejectUnauthorized: true,
    // If your runtime supports custom DNS servers, configure them here:
    // dns: { servers: ['1.1.1.1'] }
  }
});

app.get('/proxy', async (req, res) => {
  // Do not forward Authorization to untrusted destinations
  const auth = req.headers.authorization; // Incoming Basic Auth
  if (!auth) return res.status(401).send('Missing credentials');

  // Validate and map credentials server-side instead of proxying raw headers
  const token = await validateAndIssueInternalToken(auth);

  const response = await fetch('/users/me', {
    headers: {
      Authorization: `Bearer ${token}`, // Use internal token, not original Basic Auth
    },
  });
  const data = await response.json();
  res.json(data);
});

app.listen(3000);

Example 2: Middleware to strip risky headers and enforce destination allowlisting

Intercept outbound requests from Fiber handlers to ensure credentials are not sent to unexpected hosts. Use allowlists for hostnames and prefer IP-based or mTLS approaches where feasible.

const fiber = require('express');
const http = require('http');

const app = fiber();

const ALLOWED_HOSTS = new Set(['api.example.com', 'auth.example.com']);

function outboundMiddleware(req, res, next) {
  const parsed = new URL(req.url);
  if (!ALLOWED_HOSTS.has(parsed.hostname)) {
    return res.status(403).send('Destination not allowed');
  }
  // Remove or replace sensitive headers before forwarding
  delete req.headers['authorization'];
  req.headers['authorization'] = `Bearer ${issueScopedToken()}`;
  next();
}

app.use('/services/*', outboundMiddleware);

app.get('/services/users', (req, res) => {
  const options = {
    hostname: 'api.example.com',
    port: 443,
    path: '/users',
    method: 'GET',
    headers: {
      authorization: req.headers.authorization,
    },
  };

  const proxy = http.request(options, apiRes => {
    let data = '';
    apiRes.on('data', chunk => data += chunk);
    apiRes.on('end', () => res.send(data));
  });
  proxy.on('error', () => res.status(502).send('Upstream error'));
  proxy.end();
});

app.listen(3000);

Credential handling guidance

  • Do not forward incoming Basic Auth headers directly to external endpoints; map to scoped tokens server-side.
  • Validate endpoint hostnames against an allowlist and prefer fixed IPs when possible.
  • Use environment variables or secure vaults for credentials rather than embedding them in code.
  • Enable strict TLS verification and consider DNS-over-HTTPS if your runtime permits.
Scan for dns cache poisoning in fiber Free API security scan

Frequently Asked Questions

Does middleBrick detect DNS-related misconfigurations in Fiber APIs that use Basic Auth?
Yes. middleBrick runs checks for SSRF and DNS resolution behavior. Findings include risks where Basic Auth credentials traverse paths influenced by DNS cache poisoning, with remediation steps to restrict DNS usage and validate endpoints.
Can the scanner test authenticated flows when using Basic Auth in Fiber?
middleBrick tests the unauthenticated attack surface by default. To include authenticated paths, provide session tokens or test credentials via the dashboard or CLI options; this helps surface authorization gaps alongside DNS and injection issues.

Related Pages

Dns Cache Poisoning in FiberDNS cache poisoning in Fiber apps via SSRF and DNS rebinding. Detect with middleBrick's SSRF scans, remediate with custoDns Cache Poisoning with Basic AuthLearn how DNS cache poisoning can expose Basic Auth credentials, how to detect it with middleBrick, and fix it using hosDns Cache Poisoning in Fiber on DigitaloceanLearn DNS cache poisoning risks in Fiber on Digitalocean and apply concrete code fixes with secure resolvers and DNS-oveDns Cache Poisoning in Fiber on AwsUnderstand DNS cache poisoning in Fiber on AWS and apply concrete fixes: custom secure resolvers, TLS certificate validaDns Cache Poisoning in Fiber on AzureLearn how Dns Cache Poisoning can affect Fiber apps on Azure and apply Azure-specific code fixes using DoH and short-TTLDns Cache Poisoning in Fiber on CloudflareExplore DNS cache poisoning in Fiber behind Cloudflare and apply concrete Cloudflare-specific code fixes to harden DNS rPci Dss: Dns Cache Poisoning in FiberUnderstand DNS cache poisoning risks in Fiber APIs and apply secure resolution patterns with code examples to meet PCI DSoc2: Dns Cache Poisoning in FiberExplore how DNS cache poisoning interacts with Fiber under SOC 2, and apply concrete resolver hardening code examples.Iso 27001: Dns Cache Poisoning in FiberExplore ISO 27001 controls relevant to DNS cache poisoning in Fiber apps, with concrete remediation code and middleBrickCis: Dns Cache Poisoning in FiberUnderstand DNS cache poisoning risks with Fiber and implement hardened resolvers, DoH, and secure lookup patterns.Dns Cache Poisoning in Fiber with DynamodbUnderstand DNS cache poisoning risks in Fiber apps using DynamoDB, with concrete remediation code examples and IAM hardeDns Cache Poisoning in Fiber with CockroachdbExplore DNS cache poisoning in Fiber apps using CockroachDB, with remediation code examples and security guidance.