Dns Rebinding in Actix

Dns rebinding attacks exploit the browser's same-origin policy by manipulating DNS records to make a malicious domain resolve to a private IP address. In Actix applications, this vulnerability typically emerges when the framework accepts connections on 0.0.0.0 or when it binds to interfaces that inadvertently expose internal services to the internet.

Actix's default binding behavior makes it particularly susceptible. When you run an Actix application with default settings, it often binds to 0.0.0.0:8080, accepting connections from any network interface. This becomes dangerous when combined with features like Actix's built-in WebSocket support or when the application acts as a reverse proxy.

A common attack pattern involves an attacker hosting a malicious webpage that includes JavaScript attempting to connect to the victim's Actix service. The browser respects same-origin policies, but DNS rebinding bypasses this by first resolving the malicious domain to the attacker's IP, then rapidly switching it to resolve to a private IP like 192.168.1.100 where the Actix service runs. The browser, having already established a connection to what it believes is the same origin, allows the JavaScript to interact with the internal service.

In Actix applications that implement WebSocket endpoints, the attack becomes more severe. Consider an Actix WebSocket handler that accepts connections without proper origin validation:

use actix_web::{web, App, HttpServer, HttpResponse, get, Responder};
use actix_web_actors::ws;

async fn websocket_endpoint(req: actix_web::HttpRequest, stream: actix_web::web::Payload) -> impl Responder {
    ws::start(MyWebSocket::new(), &req, stream)
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .service(web::resource("/ws").route(web::get().to(websocket_endpoint)))
    })
    .bind("0.0.0.0:8080")? // Vulnerable binding
    .run()
    .await
}

The above code accepts WebSocket connections from any origin. An attacker could use DNS rebinding to connect to internal services that trust Actix endpoints, potentially extracting sensitive data or manipulating internal state through the WebSocket connection.

Another manifestation occurs when Actix applications serve as API gateways or reverse proxies. If the Actix service forwards requests to internal services without validating the original request's origin or implementing proper authentication, DNS rebinding can allow external attackers to reach internal APIs. This is particularly problematic when Actix applications use libraries like actix-http for HTTP client operations, as these might be tricked into connecting to internal services.

The timing aspect of DNS rebinding attacks exploits how Actix handles connection establishment. When a client attempts to connect to a DNS rebinding target, Actix's underlying tokio runtime may establish a TCP connection before the DNS resolution completes, creating a window where the connection appears legitimate to the browser's security model.

Detecting DNS rebinding vulnerabilities in Actix applications requires examining both the code structure and runtime behavior. The first indicator is the binding configuration in your Actix application. Any binding to 0.0.0.0 or specific internal IP addresses without proper network segmentation is a red flag.

middleBrick's scanning approach for Actix applications focuses on identifying these binding patterns and testing the runtime behavior. When scanning an Actix endpoint, middleBrick attempts to establish connections from different network contexts to determine if the service is accessible from unauthorized networks. The scanner specifically looks for Actix's characteristic HTTP response patterns and WebSocket handshake behaviors.

For Actix WebSocket endpoints, middleBrick tests the origin validation by attempting connections with forged origin headers. The scanner uses a technique similar to actual DNS rebinding attacks, where it first establishes a connection to the service, then attempts to reuse that connection context to access internal resources. This reveals whether Actix's WebSocket implementation properly validates origins and implements connection isolation.

Code analysis with middleBrick examines Actix application source for several vulnerability patterns:

// Vulnerable patterns detected by middleBrick:
// 1. Binding to 0.0.0.0 without restrictions
HttpServer::bind("0.0.0.0:8080")

// 2. Missing origin validation in WebSocket handlers
ws::start(MyWebSocket::new(), &req, stream) // No origin check

// 3. Unrestricted proxy forwarding
let client = awc::Client::default();
let res = client.get(internal_api_url).send().await; // No validation

// 4. Missing CORS configuration
App::new().wrap(cors::Cors::permissive()) // Too permissive

middleBrick's LLM security module also checks for AI-specific vulnerabilities that could compound DNS rebinding issues. If your Actix application integrates AI/ML endpoints (increasingly common with Actix's async capabilities), middleBrick tests for system prompt leakage and prompt injection vulnerabilities that could be exploited after a successful DNS rebinding attack.

The scanner's runtime testing includes attempting to establish WebSocket connections to Actix endpoints and analyzing the handshake process. middleBrick looks for Actix-specific response headers like Server: actix-web and examines the WebSocket upgrade process to determine if proper security controls are in place.

For Actix applications using TLS, middleBrick verifies that certificate validation is properly configured and that the application doesn't fall back to insecure connections. DNS rebinding attacks often attempt to downgrade connections, so proper TLS configuration is essential.

Securing Actix applications against DNS rebinding requires a multi-layered approach that addresses both the binding configuration and the application logic. The most fundamental fix is to bind Actix services only to specific, intended interfaces rather than 0.0.0.0.

// Secure binding - only listen on intended interface
HttpServer::new(|| {
    App::new()
        .service(web::resource("/ws").route(web::get().to(websocket_endpoint)))
})
.bind("127.0.0.1:8080")? // Only localhost - no external access
.run()
.await

For production deployments where external access is needed, bind to the specific public IP address of your server rather than 0.0.0.0. This prevents the application from accepting connections from unexpected network interfaces.

WebSocket endpoints in Actix require explicit origin validation. Implement origin checking using Actix's middleware or custom logic:

use actix_web::{guard, http, web, App, HttpServer, HttpResponse};
use actix_web_actors::ws;

async fn websocket_endpoint(req: actix_web::HttpRequest, stream: actix_web::web::Payload) -> impl Responder {
    // Validate origin header
    if let Some(origin) = req.headers().get(http::header::ORIGIN) {
        let origin_str = origin.to_str().unwrap_or("");
        if origin_str != "https://your-trusted-domain.com" {
            return HttpResponse::BadRequest().finish();
        }
    }
    
    ws::start(MyWebSocket::new(), &req, stream)
}

For Actix applications that need to serve both internal and external clients, implement network-level access controls using firewall rules or reverse proxy configurations. Actix's middleware system can also help enforce security policies:

use actix_web::{dev::ServiceRequest, dev::ServiceResponse, Error};
use actix_web::middleware::NormalizePath;

async fn origin_validator(req: ServiceRequest, srv: &mut actix_web::dev::ServiceFactory) -> Result {
    if let Some(origin) = req.headers().get(http::header::ORIGIN) {
        let allowed_origins = ["https://trusted.com", "https://api.trusted.com"];
        let origin_str = origin.to_str().unwrap_or("");
        if !allowed_origins.contains(&origin_str) {
            return Ok(req.into_response(HttpResponse::Forbidden().finish()));
        }
    }
    srv.call(req).await
}

When Actix applications act as API gateways or proxies, implement strict validation of destination URLs and enforce allowlists for internal services:

use actix_http::client::Client;
use url::Url;

async fn safe_proxy(req: web::HttpRequest, body: web::Bytes) -> impl Responder {
    let target_url = req.headers().get("X-Target-Url")
        .and_then(|h| h.to_str().ok())
        .unwrap_or("");
    
    // Validate target URL against allowlist
    let allowed_networks = ["192.168.1.0/24", "10.0.0.0/8"];
    if !is_url_allowed(&target_url, &allowed_networks) {
        return HttpResponse::Forbidden().finish();
    }
    
    let client = Client::default();
    let res = client
        .request_from(target_url, req.headers())
        .no_decompress()
        .send_body(body)
        .await;
    
    // Handle response
    match res {
        Ok(response) => HttpResponse::build(response.status()).body(response.body()),
        Err(_) => HttpResponse::InternalServerError().finish(),
    }
}

For comprehensive protection, combine Actix's built-in security features with external network controls. Use Actix's CORS middleware with specific origins rather than permissive settings, implement proper authentication and authorization for all endpoints, and consider using HTTPS with proper certificate validation to prevent downgrade attacks that often accompany DNS rebinding attempts.