Dns Rebinding in Feathersjs
How Dns Rebinding Manifests in Feathersjs
Dns Rebinding attacks exploit the browser's same-origin policy by manipulating DNS records to make a malicious site appear to be the same origin as your Feathersjs API. This allows attackers to bypass CORS restrictions and access internal APIs that should only be available to your frontend application.
In a Feathersjs context, this vulnerability is particularly dangerous because many applications expose administrative endpoints or internal services that assume requests originate from trusted origins. A successful Dns Rebinding attack can give attackers access to:
- Admin panels and configuration endpoints
- Database administration APIs
- Internal service discovery endpoints
- WebSocket connections to internal services
- Authentication bypass through internal token validation
The attack typically unfolds in three phases: First, the attacker serves malicious JavaScript that attempts to connect to what appears to be your API domain. Second, the DNS record is manipulated (through TTL expiration or DNS rebinding services) to point to an internal IP like 192.168.1.100. Third, the browser, believing it's still communicating with the same origin, sends authenticated requests to the internal service.
Feathersjs applications are vulnerable when they rely solely on CORS configuration without validating the actual origin or implementing proper authentication. Consider this common pattern:
// Vulnerable: Only CORS configuration
const app = feathers();
app.configure(cors());
app.use('/api/users', usersService);
app.use('/api/admin', adminService); // Admin endpoints exposed!An attacker could use a service like rebind.network to make api.example.com resolve to an internal IP, then their malicious site at evil.com could access both /api/users and /api/admin endpoints as if they were the same origin.
Feathersjs-Specific Detection
Detecting Dns Rebinding vulnerabilities in Feathersjs requires both manual testing and automated scanning. middleBrick's black-box scanning approach is particularly effective because it tests the actual runtime behavior of your API without requiring source code access.
middleBrick scans for Dns Rebinding by attempting to access your API endpoints through various origin permutations and checking for inconsistent authentication or CORS behavior. The scanner tests whether your Feathersjs application properly validates request origins and whether administrative endpoints are accessible without proper authentication.
For manual detection in your Feathersjs application, examine your CORS configuration and authentication middleware. Look for patterns like:
// Example of vulnerable configuration
const app = feathers();
app.configure(cors()); // Allows all origins!
app.use('/api/admin', adminService); // No authentication middleware!middleBrick specifically checks for:
- Endpoints that return different responses based on request origin
- Administrative endpoints accessible without authentication
- Inconsistent CORS headers that could be exploited
- WebSocket endpoints that don't validate client origins
- Internal service endpoints exposed through Feathersjs hooks
The scanner also tests for LLM-specific vulnerabilities if your Feathersjs application includes AI/ML endpoints, checking for system prompt leakage and prompt injection vulnerabilities that could compound Dns Rebinding attacks.
For Feathersjs applications using authentication, middleBrick verifies that JWT tokens or session cookies aren't being sent to unexpected origins due to misconfigured CORS policies.
Feathersjs-Specific Remediation
Securing your Feathersjs application against Dns Rebinding requires a defense-in-depth approach. The most effective strategy combines strict origin validation, proper authentication, and network-layer controls.
First, implement strict CORS policies that only allow specific origins:
// Secure CORS configuration
const app = feathers();
app.configure(cors({
origin: ['https://yourdomain.com', 'https://admin.yourdomain.com'],
credentials: true
}));Next, ensure all endpoints require proper authentication, even internal ones:
// Authentication middleware for all endpoints
const auth = require('feathers-authentication');
app.configure(auth());
// Admin endpoints with authentication
app.use('/api/admin', auth.hooks.authenticate('jwt'), adminService);For WebSocket connections, validate client origins:
// Secure WebSocket connections
const io = require('socket.io')(server, {
cors: {
origin: ['https://yourdomain.com'],
methods: ["GET", "POST"]
}
});Implement IP-based restrictions for internal services:
// Restrict internal API access
const ipRestrict = require('express-ip-restrict');
app.use('/api/internal', ipRestrict.restrict({
mode: 'allow',
ips: ['192.168.1.0/24', '10.0.0.0/8']
}), internalService);middleBrick's remediation guidance includes specific recommendations for Feathersjs applications, such as using the feathers-authentication-jwt hooks consistently across all services and implementing the feathers-hooks library to add authorization checks before database operations.
For applications using Feathersjs with TypeScript, add compile-time checks:
// Type-safe authentication
interface AuthenticatedContext extends HookContext {
params: {
user: User;
authenticated: true;
};
}
// Hook that ensures authentication
const requireAuth: Hook = (context: AuthenticatedContext) => {
if (!context.params.authenticated) {
throw new errors.NotAuthenticated();
}
return context;
};Finally, consider implementing a security middleware that validates request headers and origins:
// Security middleware
app.use(async (context, next) => {
const allowedOrigins = new Set(['https://yourdomain.com']);
const origin = context.params.headers.origin;
if (origin && !allowedOrigins.has(origin)) {
throw new errors.Forbidden('Invalid origin');
}
return next();
});