HIGH dns rebindingfeathersjsbasic auth

Dns Rebinding in Feathersjs with Basic Auth

Scan for dns rebinding in feathersjs

Dns Rebinding in Feathersjs with Basic Auth — how this specific combination creates or exposes the vulnerability

DNS Rebinding is an application-layer attack that manipulates DNS responses to make a victim’s browser believe a remote host is reachable at an internal IP address. In a Feathersjs application protected with Basic Auth, this combination can bypass the intended network boundary because the client-side JavaScript is typically configured to call a hostname that resolves publicly, while the server enforces Basic Auth over HTTP. An attacker can register a domain (e.g., attacker.example) pointing to a public IP they control, then serve JavaScript that progressively resolves the hostname to an internal IP such as 127.0.0.1 or 10.0.0.1. If the Feathersjs service is bound to a non-loopback interface or does not validate the Origin or Host headers, the browser will send the Basic Auth credentials (Authorization header) to the internal address, effectively exposing privileged service access to the external attacker.

The vulnerability is exacerbated when Feathersjs is deployed in a local development environment or within a trusted network segment where services listen on internal IPs and rely on Basic Auth as the primary access control. During a DNS Rebinding attack, the malicious page can make authenticated requests to internal endpoints (e.g., /users, /settings) using the victim’s credentials without triggering CORS preflight failures if the server permits the attacker’s domain via Access-Control-Allow-Origin or lacks strict CORS configuration. Feathersjs hooks and service logic may assume that requests arriving with valid Basic Auth credentials originate from a trusted network, which can lead to unauthorized data retrieval or modification. The attack does not require the attacker to know the internal IP in advance; the rebinding process can iterate through common private ranges, and the client’s browser will relay cookies and Authorization headers if the server responds with permissive CORS or lacks proper origin checks.

To detect this using middleBrick, you can submit the public endpoint URL for an unauthenticated scan; the scanner’s checks include Input Validation and Security Header analysis, which can highlight weak CORS and missing origin validation that may facilitate DNS Rebinding in the context of Basic Auth. Because the scanner tests the unauthenticated attack surface, it can identify whether the service responds to manipulated origins or permits credentials on non-loopback-advertised interfaces. Note that middleBrick DETECTS and REPORTS — it does not fix, patch, block, or remediate. It provides findings with remediation guidance and mapping to frameworks such as OWASP API Top 10 and CORS misconfiguration patterns.

Basic Auth-Specific Remediation in Feathersjs — concrete code fixes

Remediation focuses on ensuring that Basic Auth credentials are not sent to internal IPs via rebinding and that the service validates request origins strictly. Below are concrete Feathersjs code examples that implement origin validation and secure service configuration.

// src/hooks/validate-origin.js
module.exports = function validateOrigin(options = {}) {
  return async context => {
    const allowedOrigins = new Set([
      'https://api.yourcompany.com',
      'https://app.yourcompany.com'
    ]);
    const origin = context.params.headers.origin;
    if (origin && !allowedOrigins.has(origin)) {
      throw new Error('Invalid origin');
    }
    // Ensure no wildcard for credentials
    context.params.headers['access-control-allow-origin'] = origin && allowedOrigins.has(origin) ? origin : '';
    context.params.headers['access-control-allow-credentials'] = 'true';
    return context;
  };
};

Apply the hook globally so that CORS headers are strict and credentials are not returned to unauthorized origins.

// src/app.js
const hooks = require('feathers-hooks-common');
const validateOrigin = require('./hooks/validate-origin');
const cors = require('@koa/cors');

app.configure(cors({
  origin: (origin, callback) => {
    const allowed = [
      'https://api.yourcompany.com',
      'https://app.yourcompany.com'
    ];
    callback(null, allowed.includes(origin));
  },
  credentials: true
}));

app.configure(hooks({
  before: {
    all: [validateOrigin()]
  }
}));

Additionally, bind the Feathersjs server to 127.0.0.1 if it does not need to be publicly reachable, or enforce network policies that prevent external access to internal ports. For Basic Auth, avoid relying solely on the Authorization header without origin checks; consider migrating to token-based authentication with strict scope and short-lived tokens, but if Basic Auth is required, ensure the service does not respond with Access-Control-Allow-Credentials to wildcard origins.

middleBrick’s CLI tool can be used to validate these fixes by scanning the deployed endpoint: middlebrick scan <url>. The CLI outputs JSON and text reports that include per-category findings for Authentication, CORS, and Input Validation. For teams managing multiple services, the Pro plan adds continuous monitoring and GitHub Action integration to fail builds if security scores drop, while the Web Dashboard tracks scores over time.

Scan for dns rebinding in feathersjs Free API security scan

Frequently Asked Questions

How can I test if my Feathersjs Basic Auth endpoint is vulnerable to DNS Rebinding?
Use a controlled test by registering a domain that points to your public IP and serves JavaScript that changes resolution to internal addresses (e.g., 127.0.0.1). Load the page in a browser with your Basic Auth credentials and monitor network requests; if requests to internal addresses include Authorization headers, the endpoint is vulnerable. middleBrick’s scanner includes Input Validation checks that can highlight weak CORS and missing origin validation indicative of risk.
Does enabling CORS with credentials fully protect against DNS Rebinding in Feathersjs with Basic Auth?
No. CORS with credentials must be paired with strict origin validation; allowing credentials with a wildcard origin or reflecting the Origin header without a strict allow-list can still enable DNS Rebinding. Always validate the Origin against an allow-list and avoid returning Access-Control-Allow-Credentials for unknown origins.

Related Pages

Dns Rebinding in FeathersjsHow Dns Rebinding attacks Feathersjs APIs and specific remediation using Feathersjs's native features. Includes code exaDns Rebinding with Basic AuthDns Rebinding attacks exploit Basic Auth credential caching across origins. Learn specific detection methods and remediaDns Rebinding in Feathersjs on Fly IoExplore DNS rebinding in Feathersjs on Fly.io, understand the attack vector, and apply Fly.io-specific host validation aDns Rebinding in Feathersjs on SupabaseExplore DNS Rebinding in Feathersjs with Supabase, understand the attack chain, and apply concrete code fixes to secure Dns Rebinding in Feathersjs on RailwayExplore DNS rebinding in FeathersJS on Railway, understand how hosting choices expose risks, and apply concrete code fixPci Dss: Dns Rebinding in FeathersjsmiddleBrick scans DNS rebinding risks in FeathersJS APIs, aligning with PCI DSS requirements. Get actionable findings anSoc2: Dns Rebinding in FeathersjsExplore DNS rebinding in Feathers.js APIs, understand SOC 2 implications, and apply concrete code fixes to harden hostnaIso 27001: Dns Rebinding in FeathersjsExplore DNS rebinding risks in FeathersJS services aligned with ISO 27001. Learn host validation, CORS hardening, and hoCis: Dns Rebinding in FeathersjsCIS Controls in DNS rebinding with FeathersJS: secure binding, host validation, and remediation code examples.Dns Rebinding in Feathersjs with FirestoreExplore DNS rebinding risks in Feathersjs with Firestore, and apply concrete remediation through fixed project selectionDns Rebinding in Feathersjs with DynamodbExplore DNS Rebinding in Feathersjs with Dynamodb, understand the attack surface, and apply concrete Dynamodb SDK code fDns Rebinding in Feathersjs with CockroachdbExplore DNS Rebinding risks in Feathersjs with Cockroachdb, and apply concrete connection and validation fixes to secure