Dns Rebinding in Adonisjs (Typescript)

DNS rebinding is a client-side attack that manipulates DNS responses to make a browser believe a malicious domain is the same origin as a trusted one. In AdonisJS applications written in Typescript, this risk arises when the server does not validate the Host header or origin of incoming requests and reflects or uses host-derived values without strict allowlisting. AdonisJS, as a Node.js framework, does not inherently protect against HTTP Host header manipulation; if route handlers or middleware rely on ctx.request.hostname or ctx.request.host to construct URLs, redirect paths, or policy decisions, an attacker can supply a poisoned hostname that bypasses same-origin assumptions.

Consider a health-check endpoint exposed in AdonisJS that returns the current service hostname to frontend JavaScript. If the endpoint returns the value from the request Host header without validation, an attacker can use DNS rebinding to make the endpoint appear to originate from the same domain, enabling sensitive internal service enumeration. In Typescript, this is often implemented as:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class HealthController {
  public async show({ request }: { request: HttpContextContract['request'] }) {
    // Risk: reflects attacker-controlled Host header
    return { hostname: request.hostname }
  }
}

An unauthenticated attacker can trigger this by resolving a benign domain to an attacker IP, then rebinding to an internal target (e.g., 127.0.0.1) after page load. The browser executes JavaScript that reads the response, effectively bypassing same-origin policies and exposing internal endpoints. AdonisJS middleware that uses hostname-based routing or CORS logic without strict validation can similarly be abused to redirect or leak data to internal destinations.

Additional exposure occurs when AdonisJS applications integrate with LLM/AI endpoints or external services and derive target URLs from request metadata. If an attacker rebinds to a malicious DNS name that resolves to a sensitive internal service, and the application trusts the Host header for constructing callback URLs or authorization decisions, the attack can lead to Server-Side Request Forgery (SSRF) or confused deputy scenarios. middleBrick’s LLM/AI Security checks include unauthenticated LLM endpoint detection and system prompt leakage detection, which help surface risky integrations where hostname-derived configuration might be abused.

Because AdonisJS applications often serve APIs consumed by SPAs or mobile clients, failing to validate and sanitize the Host header and origin can result in information disclosure, unauthorized internal probing, or abuse of internal routes. Defense requires explicit allowlisting of expected hostnames, rejecting requests with malformed or unexpected host headers, and avoiding the use of reflected host-derived values for security decisions.

Remediation in AdonisJS with Typescript centers on strict hostname validation, avoiding reflection of untrusted host values, and enforcing allowlists. The framework does not provide built-in hostname allowlists, so developers must implement checks in middleware or route guards. Below are concrete, Typescript-safe patterns to mitigate DNS rebinding.

1. Validate Host Header in Middleware

Create middleware that verifies the Host header against an allowlist before proceeding. This prevents requests with poisoned hostnames from reaching route handlers.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { middleware } from '@ioc:Adonis/Core/BodyValidator'

export default class HostValidationMiddleware {
  private ALLOWED_HOSTS = new Set([
    'api.example.com',
    'app.example.com',
    'staging.example.com'
  ])

  public async handle(ctx: HttpContextContract, next: () => Promise) {
    const host = ctx.request.hostname()
    if (!this.ALLOWED_HOSTS.has(host)) {
      ctx.response.badRequest({ error: 'Invalid host header' })
      return
    }
    await next()
  }
}

2. Avoid Reflecting Hostname in Responses

Do not return the request hostname directly to clients. If you must echo host information, map it to a known safe value or omit it entirely.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class SafeController {
  public async health({ response }: { response: HttpContextContract['response'] }) {
    // Safe: fixed value, no reflection of request Host
    response.body = { ok: true, service: 'api-service-v1' }
  }
}

3. Enforce Canonical Hostname in Redirects

If your application issues redirects, always use a canonical hostname rather than deriving it from the request. This prevents open redirects and rebinding-assisted phishing.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class RedirectController {
  public async dashboard({ response }: { response: HttpContextContract['response'] }) {
    const canonical = 'https://app.example.com'
    return response.redirect(canonical + '/dashboard')
  }
}

4. Secure CORS and Route Configuration

Configure CORS to restrict origins explicitly and avoid wildcard origins that could be bypassed via rebinding. In start/cors.ts, use precise origins and avoid reflecting request-origin headers.

import { cors } from '@ioc:Adonis/Addons/Cors'

export default cors({
  enabled: true,
  origin: [
    'https://app.example.com',
    'https://admin.example.com'
  ],
  allowMethods: ['GET', 'POST'],
  allowHeaders: ['Authorization', 'Content-Type']
})

5. CI/CD Integration and Continuous Monitoring

Use the middleBrick CLI to scan your AdonisJS endpoints from the terminal and integrate checks into your workflow:

# Scan a local development endpoint
middlebrick scan http://localhost:3333/health

For teams, the Pro plan adds continuous monitoring and the GitHub Action can fail builds if risk scores degrade. The MCP Server lets you scan APIs directly from your IDE while developing Typescript routes, providing early feedback on risky patterns.