Dns Cache Poisoning in Grape with Hmac Signatures

DNS cache poisoning is an attack where a DNS resolver is fed falsified records, causing clients to be directed to malicious IPs. In a Grape API, this can intersect with HMAC signatures in a dangerous way when the API relies on hostname- or origin-based routing decisions and the DNS for those hosts is compromised.

Consider an API that validates the Host header or uses the request origin to scope authorization. If an attacker can poison DNS so that api.example.com resolves to a server they control, they may be able to route victim requests to a malicious proxy. When HMAC signatures are used, the signature is typically computed over selected headers (e.g., Date, Content-Type, a canonical representation of the request). The server recomputes the HMAC using its shared secret and verifies it. This protects integrity and authenticity of the signed data, but it does not inherently prevent the client from sending the request to the wrong server if DNS is poisoned.

In this specific combination, the risk arises if the client performs signature verification or signing using a hostname that can be redirected via DNS. An attacker who can poison DNS might redirect the client to a rogue server that presents a valid TLS certificate for another domain (e.g., via a compromised certificate or a valid cert for an attacker-controlled domain). If the client uses a pinned hostname or relies on DNS to locate the signing/verification endpoint, the poisoned DNS can cause the client to interact with the attacker’s server. The HMAC may still verify if the attacker can obtain or reuse the secret, but more commonly, the client may mistakenly trust data because it arrives with a seemingly valid signature context, while the actual backend service is bypassed. This can facilitate request smuggling, replay, or authorization bypass if the signature scope does not tightly bind to the intended destination IP or strict hostname verification.

To detect such issues, middleBrick scans the unauthenticated attack surface of a Grape API endpoint using 12 parallel security checks, including Input Validation, Authentication, and Data Exposure. The scan does not rely on internal architecture but tests what an external attacker can observe and manipulate. If your API uses HMAC signatures, the scan evaluates whether the signature scope, header selection, and host validation are robust against scenarios where DNS resolution could be manipulated.

Remediation focuses on ensuring that HMAC verification does not depend on mutable DNS or host header values that can be poisoned. Bind the signature to a strict host and enforce strict hostname verification on the client side. Use a pinned hostname or certificate pinning where feasible, and avoid allowing the client to influence which host the request is sent to after signature generation.

On the server side, always validate the Host header against an expected value and include the request target (path and query) and selected headers in the HMAC canonical string. Do not trust the resolved IP for authorization decisions. Below are concrete examples for a Grape API using HMAC signatures.

Example 1: Server-side signature verification with strict host validation in Grape (Ruby).

require 'openssl'
require 'base64'
require 'json'

class HmacValidator
  EXPECTED_HOST = 'api.example.com'.freeze
  SIGNATURE_HEADER = 'X-Api-Signature'.freeze
  ALGORITHM = 'sha256'.freeze

  def self.call!(env)
    request = Rack::Request.new(env)
    host = request.get_header('HTTP_HOST')
    # Reject requests with unexpected Host header to prevent DNS/poisoning misuse
    halt 400, { error: 'invalid_host' }.to_json unless host == EXPECTED_HOST

    signature = request.get_header("HTTP_#{SIGNATURE_HEADER}")
    timestamp = request.get_header('HTTP_DATE')
    method = request.request_method
    path = request.path
    body = request.body.read
    request.body.rewind

    # Build canonical string tightly binding method, path, host, timestamp, and body
    canonical = [method, path, host, timestamp, body].join("\n")
    expected = Base64.strict_encode64(
      OpenSSL::HMAC.digest(OpenSSL::Digest.new(ALGORITHM), ENV.fetch('HMAC_SECRET'), canonical)
    )

    unless secure_compare(signature, expected)
      halt 401, { error: 'invalid_signature' }.to_json
    end

    # Optionally verify timestamp to prevent replay
    halt 400, { error: 'stale_request' }.to_json if Time.now - Time.parse(timestamp) > 30

    # Proceed to route handling
    call!(env)
  end

  def self.secure_compare(a, b)
    return false if a.nil? || b.nil?
    return false unless a.bytesize == b.bytesize
    l = a.unpack 'C*'
    r = b.unpack 'C*'
    res = 0
    l.each_with_index { |byte, i| res |= byte ^ r[i] }
    res == 0
  end
end

# Usage in a Grape route
class MyApi < Grape::API
  format :json
  before { HmacValidator.call!(env) }

  get :status do
    { status: 'ok' }
  end
end

Example 2: Client-side signing with strict host and request target in Ruby (e.g., a client that signs requests before sending them through a potentially poisoned DNS resolution). This ensures the signed request cannot be swapped to a different host without breaking the signature.

require 'openssl'
require 'base64'
require 'net/http'
require 'uri'

def sign_request(method, path, host, timestamp, body, secret)
  canonical = [method, path, host, timestamp, body].join("\n")
  signature = Base64.strict_encode64(
    OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), secret, canonical)
  )
  { 'X-Api-Signature' => signature, 'Date' => timestamp, 'Host' => host }
end

uri = URI('https://api.example.com/status')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true

method = 'GET'
path = '/status'
host = 'api.example.com'  # pinned host, not derived from request
now = Time.now.utc.httpdate
body = ''

headers = sign_request(method, path, host, now, body, ENV.fetch('HMAC_SECRET'))
req = Net::HTTP::Get.new(path, headers)
req['Date'] = now

# Even if DNS is poisoned, the client sends Host: api.example.com and signs with it.
# The server should reject mismatches, ensuring the request never reaches a rogue host.
response = http.request(req)
puts response.body

Additional guidance: Use short timestamp windows (e.g., 30 seconds) to limit replay windows, and ensure TLS is enforced to prevent on-path tampering of the Host header. middleBrick’s scans can validate that your API rejects requests with unexpected Host headers and that signatures cover the host and request target.