Dns Rebinding in Actix with Bearer Tokens
Dns Rebinding in Actix with Bearer Tokens — how this specific combination creates or exposes the vulnerability
DNS rebinding is a network-based attack where an attacker resolves a domain name to an attacker-controlled IP address, then switches the resolution to a different target—often a private or internal host—without the client changing its request origin. In an Actix web service that uses Bearer Tokens for authorization, this combination can bypass intended network boundaries and token-based protections. Because Bearer Tokens are typically passed in HTTP headers, an attacker who can force a victim’s browser or client to make authenticated requests to a maliciously rebound IP may perform actions on internal endpoints that are not exposed publicly.
Consider an Actix application that validates requests primarily by the presence and correctness of a Bearer Token, but does not sufficiently validate the request’s network origin or enforce strict source IP checks. If an attacker registers a domain (e.g., example.attacker.com) and uses DNS rebinding to point that domain first to a benign IP and then to a private IP like 127.0.0.1 or an internal service IP, the victim’s browser may send authenticated requests with the Bearer Token to the internal service. Because the token is transmitted in the Authorization header, the request may be accepted if the token is valid, even though the network path has been manipulated.
This risk is particularly relevant when the Actix service is deployed in environments where internal services are bound to localhost or private ranges and mistakenly assumed to be inaccessible from outside. An attacker does not need to compromise the token itself; they rely on the client’s existing authenticated session and the trust placed in the token. The unauthenticated scan capabilities of middleBrick can surface such network-based host confusion issues during endpoint reconnaissance, especially when combined with input validation and SSRF checks that highlight unexpected destination resolution.
In practice, this manifests as a request that appears authorized due to a valid Bearer Token but originates from a network path that should not be allowed. The Actix application may log and process the request as if it came from a trusted client, exposing internal endpoints or enabling unauthorized operations through a trusted identity. Because middleBrick tests authentication, BOLA/IDOR, and input validation in parallel, findings related to network-level authorization bypasses can be surfaced when scanning an Actix endpoint that relies on Bearer Tokens without complementary network controls.
Bearer Tokens-Specific Remediation in Actix — concrete code fixes
To mitigate DNS rebinding risks when using Bearer Tokens in Actix, you should combine token validation with strict network and origin checks. Below are concrete, syntactically correct examples that show how to implement these controls in an Actix web application.
First, ensure that token validation is performed within a guarded scope and that requests are tied to more than just the token—for example, by validating the Origin or Referer headers when appropriate. The following Actix snippet demonstrates a basic guard that checks a Bearer Token and also inspects the origin of the request to help prevent requests that have been rebound:
use actix_web::{web, App, HttpResponse, HttpServer, Responder, HttpRequest};
use actix_web::http::header::HeaderValue;
async fn validate_bearer_and_origin(req: HttpRequest, payload: web::Payload) -> Result {
// Extract Bearer token
let auth_header = req.headers().get("Authorization")
.ok_or_else(|| actix_web::error::ErrorUnauthorized("Missing Authorization header"))?;
let auth_str = auth_header.to_str().map_err(|_| actix_web::error::ErrorUnauthorized("Invalid header encoding"))?;
if !auth_str.starts_with("Bearer ") {
return Err(actix_web::error::ErrorUnauthorized("Invalid Authorization format"));
}
let token = auth_str.trim_start_matches("Bearer ");
// Validate token (replace with your token validation logic, e.g., JWT verification)
if token != "expected-secure-token" {
return Err(actix_web::error::ErrorUnauthorized("Invalid token"));
}
// Optional: restrict by origin to mitigate rebinding in browser contexts
if let Some(origin) = req.headers().get("Origin") {
let origin_str = origin.to_str().unwrap_or("");
if origin_str != "https://trusted.example.com" {
return Err(actix_web::error::ErrorForbidden("Origin not allowed"));
}
}
Ok(HttpResponse::Ok().body("Authorized and origin-checked"))
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.route("/api/secure", web::post().to(validate_bearer_and_origin))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
In this example, the handler checks for a Bearer token and validates it against an expected value. It additionally checks the Origin header to ensure the request originates from an expected domain, which helps prevent browsers from sending authenticated requests to rebound IPs. You can extend this approach by checking the Host header or using connection information available in Actix’s request extensions to ensure the resolved destination matches your expectations.
For more robust protection, avoid relying solely on token validation. Combine this with network-level controls such as binding services to specific interfaces, using firewall rules to restrict access to internal endpoints, and employing middleware that inspects resolved destination IPs when possible. middleBrick’s checks around authentication, input validation, and SSRF can help identify endpoints that may be exposed to such bypass scenarios.