HIGH dns rebindingactixbasic auth

Dns Rebinding in Actix with Basic Auth

Scan for dns rebinding in actix

Dns Rebinding in Actix with Basic Auth — how this specific combination creates or exposes the vulnerability

Dns Rebinding is a client-side attack where a malicious webpage resolves to a public IP, then switches the DNS response to a private IP (e.g., 127.0.0.1). In Actix applications that expose HTTP endpoints protected only by Basic Auth, this combination can bypass same-origin protections and expose internal services. An attacker can craft a page that authenticates with valid credentials captured from the user and then rebinds to internal endpoints that the server itself trusts, such as a local admin interface or a management API.

When Basic Auth is used without additional network controls, the server may treat requests as trusted once authentication succeeds, even if the request originates from a rebinded internal address. For example, an Actix service might validate the Authorization header and then forward or proxy requests internally, assuming they are safe. Dns Rebinding can exploit this by having the client connect with valid credentials and then instruct the server to make subsequent requests to internal addresses that are not normally exposed. This becomes a server-side request forgery (SSRF) vector facilitated by authentication, allowing the attacker to probe internal networks or services that should remain unreachable.

middleBrick detects this risk pattern through unauthenticated black-box scanning, including checks for Authentication bypass mechanisms and SSRF indicators. The tool identifies whether endpoints accepting Basic Auth lack network-level restrictions on internal address resolution and whether responses expose internal services. Findings include severity assessments mapped to frameworks such as OWASP API Top 10 and provide remediation guidance without claiming to fix or block the behavior.

Basic Auth-Specific Remediation in Actix — concrete code fixes

To mitigate Dns Rebinding risks in Actix when using Basic Auth, implement network-level restrictions alongside authentication. Avoid relying on Basic Auth alone to protect internal endpoints. Combine it with explicit source validation, request destination checks, and tight network policies. The following examples show how to enforce these controls in Actix web applications.

Example 1: Basic Auth with allowed IPs in Actix

use actix_web::{web, App, HttpResponse, HttpServer, middleware::Logger};
use actix_web::http::header::HeaderValue;
use actix_web::dev::ServiceRequest;
use actix_web::error::ErrorUnauthorized;
use std::net::IpAddr;

async fn validate_ip(req: ServiceRequest) -> Result {
    // Define allowed internal IPs or ranges
    let allowed_ips = vec!["127.0.0.1".parse().unwrap(), "10.0.0.1".parse().unwrap()];
    let peer_addr = req.connection_info().realip_remote_addr()
        .and_then(|addr| addr.parse::().ok());

    match peer_addr {
        Some(ip) if allowed_ips.contains(&ip) => Ok(req),
        _ => Err((ErrorUnauthorized("Unauthorized network origin"), req)),
    }
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .wrap(Logger::default())
            .route("/admin", web::get().to(|| async { HttpResponse::Ok().body("Admin") }))
            .wrap_fn(|req, srv| {
                let fut = validate_ip(req);
                async move {
                    match fut.await {
                        Ok(req) => srv.call(req).await,
                        Err(e) => Ok(e.into()),
                    }
                }
            })
    })
    .bind("0.0.0.0:8080")?
    .run()
    .await
}

Example 2: Middleware to reject private destinations after auth

use actix_web::{web, App, HttpResponse, HttpServer, dev::ServiceRequest};
use actix_web::error::ErrorForbidden;
use actix_web::body::BoxBody;
use actix_web::http::uri::Uri;

async fn validate_destination(req: ServiceRequest) -> Result {
    // Inspect the request target to prevent rebinding to private ranges
    let target_uri: Uri = req.uri().clone();
    if let Some(host) = target_uri.host() {
        if host == "127.0.0.1" || host.ends_with(".local") {
            return Err((ErrorForbidden("Destination not allowed"), req));
        }
    }
    Ok(req)
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .route("/api", web::get().to(|| async { HttpResponse::Ok().body("Public") }))
            .wrap_fn(|req, srv| {
                let fut = validate_destination(req);
                async move {
                    match fut.await {
                        Ok(req) => srv.call(req).await,
                        Err(e) => Ok(e.into()),
                    }
                }
            })
    })
    .bind("0.0.0.0:8080")?
    .run()
    .await
    .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))
}

These examples focus on network and destination validation rather than relying solely on Basic Auth. In production, combine these checks with firewall rules, allowlists, and service mesh policies. middleBrick’s scans can verify whether endpoints exhibit these protections by testing authentication flows and SSRF indicators. Use the CLI (middlebrick scan <url>) or GitHub Action to integrate checks into your pipeline. The Dashboard helps track changes over time, and the Pro plan supports continuous monitoring for recurring scans.

Scan for dns rebinding in actix Free API security scan

Frequently Asked Questions

Can Dns Rebinding bypass Basic Auth protections in Actix?
Yes. If an Actix service validates only the presence of Basic Auth credentials without restricting destination IPs or network paths, a client-controlled DNS rebinding can cause the server to make authenticated requests to internal endpoints that should remain private, effectively bypassing perimeter-based protections.
What specific remediation does middleBrick suggest for Basic Auth + Dns Rebinding in Actix?
middleBrick reports highlight missing network-level restrictions and SSRF-like patterns when authenticated endpoints resolve to internal addresses. Remediation guidance includes implementing IP allowlists, validating request destinations, and avoiding trust of authenticated origin assumptions without network controls. These findings map to OWASP API Top 10 and related framework guidance.

Related Pages

Dns Rebinding in ActixDNS rebinding attacks on Actix applications exploit binding configurations and WebSocket endpoints. Learn Actix-specificDns Rebinding with Basic AuthDns Rebinding attacks exploit Basic Auth credential caching across origins. Learn specific detection methods and remediaDns Rebinding in Actix on GcpLearn how DNS rebinding can expose Actix services on GCP and apply concrete host validation, binding, and GCP network coDns Rebinding in Actix on KubernetesExplore DNS rebinding risks in Actix on Kubernetes, with remediation code and Kubernetes ingress controls.Dns Rebinding in Actix on NetlifyLearn how DNS rebinding can affect Actix services behind Netlify and apply concrete Netlify-specific fixes and Actix codDns Rebinding in Actix on CloudflareDns Rebinding in Actix behind Cloudflare: risks and hardening with host validation, CORS, and secure proxy headers.Iso 27001: Dns Rebinding in Actix650 wordsHipaa: Dns Rebinding in ActixUnderstand HIPAA risks with DNS rebinding in Actix services, and apply Actix-specific fixes with code examples and remedCis: Dns Rebinding in ActixExplore DNS rebinding risks in Actix services, CIS-aligned validation patterns, and concrete code fixes to prevent browsGdpr: Dns Rebinding in ActixUnderstand DNS rebinding risks in Actix services, GDPR implications, and concrete Actix code fixes to enforce origin valDns Rebinding in Actix with DynamodbExplore DNS rebinding in Actix with DynamoDB, understand the risks, and apply concrete remediation with code examples.Dns Rebinding in Actix with CockroachdbExplore DNS rebinding risks in Actix with Cockroachdb, and apply concrete code fixes like origin validation, parameteriz