HIGH dns rebindingchijwt tokens

Dns Rebinding in Chi with Jwt Tokens

Scan for dns rebinding in chi

Dns Rebinding in Chi with Jwt Tokens — how this specific combination creates or exposes the vulnerability

Chi is a lightweight HTTP library for .NET that is commonly used to build REST APIs. When JWT tokens are used for stateless authentication, the framework typically validates the token early in the request pipeline and attaches principal information to the request context. Dns Rebinding can intersect with this flow when an attacker controls DNS responses to redirect a seemingly trusted hostname to an internal address after the JWT validation step.

Consider a scenario where an endpoint relies on a hostname-based access rule (for example, allowing requests only from a service named internal-api.example.com). The attacker first causes the victim’s browser or client to resolve internal-api.example.com to a public IP that passes JWT validation, then quickly flips the DNS response to point to an internal service such as 127.0.0.1 or a cloud metadata service at 169.254.169.254. Because JWT validation has already succeeded and the routing decision was made based on the original hostname, the request may be processed with elevated trust, inadvertently exposing internal endpoints or allowing SSRF-like behavior through the trusted channel.

In Chi, if authorization logic uses the request host directly (e.g., via Request.Host) after authentication, an attacker can exploit timing differences between DNS TTL and token lifetime to bypass intended network boundaries. This does not break the JWT signature, but subverts the assumption that the host remains immutable after authentication. The attack surface is most relevant when internal services are exposed through the same domain namespace or when CORS rules are host-based rather than origin-based.

middleBrick can help detect configurations where host-based rules are used in conjunction with JWT validation by scanning the unauthenticated attack surface and analyzing OpenAPI specifications for ambiguous routing definitions. Findings include guidance on removing hostname-based authorization and using normalized origins or token claims for access control.

Jwt Tokens-Specific Remediation in Chi — concrete code fixes

To mitigate Dns Rebinding risks when using JWT tokens in Chi, avoid relying on request host for authorization after authentication. Instead, derive access decisions from validated token claims and use strict hostname verification before any routing or business logic.

Secure JWT validation and host normalization in Chi

The following example shows how to set up JWT bearer authentication in a Chi pipeline and enforce host normalization before routing decisions are made.

open System.IdentityModel.Tokens.Jwt
open Microsoft.AspNetCore.Authentication.JwtBearer
open Microsoft.Extensions.DependencyInjection
open Suave
open Suave.Filters
open Suave.Operators
open Suave.RequestErrors
open Suave.Successful

let configureServices (services : IServiceCollection) =
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(fun options ->
            options.Authority <- "https://auth.example.com"
            options.Audience <- "api.example.com"
            options.TokenValidationParameters <- TokenValidationParameters(
                ValidateIssuer = true,
                ValidIssuer = "https://auth.example.com",
                ValidateAudience = true,
                ValidAudience = "api.example.com",
                ValidateLifetime = true,
                ClockSkew = TimeSpan.FromMinutes(5)
            )
            // Use HTTPS metadata address with a known, immutable host
            options.BackchannelHttpHandler <- new System.Net.Http.HttpClientHandler()
        ) > ignore

let apiApp = 
    choose [
        // Require authentication for all routes
        requireAuthentication JwtBearerDefaults.AuthenticationScheme
        // Normalize and validate the host before processing business logic
        >=> request (fun req -> async {
            let host = req.host.Value.ToLowerInvariant()
            if host <> "api.example.com" then
                return! RequestErrors.BAD_REQUEST "Invalid host" req
            else
                return! Route.next req
        })
        GET
        >= choose [
            path "/health" -> OK "Healthy"
            path "/users" -> OK ["{ \"users\": [] }" ]
            _ -> RequestErrors.NOT_FOUND "Not found"
        ]
    ]

startWebServer defaultConfig apiApp

Key points in the remediation:

  • Set ValidIssuer and ValidAudience explicitly to prevent token acceptance from unexpected issuers or audiences that may be reachable via rebinding.
  • Normalize and validate the request host early in the pipeline, comparing against a canonical hostname rather than using Request.Host for access control.
  • Use HTTPS metadata endpoints with pinned certificates where possible to reduce DNS manipulation impact.
  • Avoid routing based on subdomains that can be influenced by DNS rebinding; use path-based routing or claims-based authorization instead.

When integrating with the dashboard or CLI (middlebrick scan <url>), findings will highlight host-based authorization patterns and suggest replacing them with token-claim checks to reduce the attack surface exposed by DNS rebinding.

Scan for dns rebinding in chi Free API security scan

Frequently Asked Questions

Does Dns Rebinding affect JWT validation itself?
No. Dns Rebinding does not break the cryptographic validation of JWT signatures. The risk arises when host-based authorization is used after JWT validation, allowing an attacker to route requests to unintended internal endpoints while the token remains valid.
Can middleBrick fix Dns Rebinding or JWT configuration issues?
middleBrick detects and reports insecure patterns, such as host-based access rules used with JWT tokens, and provides remediation guidance. It does not automatically patch or modify application code.

Related Pages

Dns Rebinding in ChiDNS rebinding attacks in Chi applications exploit HTTP client behavior and user-controlled domains. Learn Chi-specific dDns Rebinding with Jwt TokensHow DNS rebinding attacks exploit JWT tokens through domain-based validation, detection methods, and secure remediation Dns Rebinding in Chi on NetlifyUnderstand Dns Rebinding in Chi with Netlify and apply Netflify-specific fixes with code examples to prevent internal enDns Rebinding in Chi on Fly IoUnderstand Dns Rebinding in Chi on Fly Io, with concrete Fly Io-specific fixes and code examples to harden your Chi applDns Rebinding in Chi on DigitaloceanExplore Dns Rebinding in Chi on Digitalocean, with Chi-specific remediation code and Digitalocean deployment guidance.Iso 27001: Dns Rebinding in ChiExplore DNS rebinding in Chi applications aligned with ISO 27001. Learn how the combination exposes risks and apply concHipaa: Dns Rebinding in ChiUnderstand DNS rebinding risks in Chi services under HIPAA and apply host validation and CORS controls with concrete ChiCis: Dns Rebinding in ChiExplore DNS rebinding risks in Chi applications, with Chi-specific exploit patterns and secure middleware code examples Gdpr: Dns Rebinding in ChiExplore GDPR risks in DNS rebinding with Chi HTTP router, including host validation and secure route patterns for Go appDns Rebinding in Chi with FirestoreExplore Dns Rebinding in Chi with Firestore, understand the risks, and apply Firestore-specific remediation with secure Dns Rebinding in Chi with DynamodbDns Rebinding in Chi with DynamoDB: risks when exposing credentials to browsers and concrete server-side remediation patDns Rebinding in Chi with CockroachdbDns Rebinding in Chi using Cockroachdb: risks and server-side host allowlist fixes with concrete code examples.