Dns Rebinding in Feathersjs with Hmac Signatures

DNS rebinding is a client-side network attack that manipulates DNS responses to make a victim’s browser believe a malicious domain is actually a trusted origin. When combined with Hmac Signatures in Feathersjs, the attack surface centers on how the server validates the signature and whether it relies on hostnames or IPs that an attacker can flip after initial resolution.

In Feathersjs, Hmac Signatures are often used to ensure request integrity and origin authenticity. A typical implementation signs a canonical string that includes the HTTP method, path, timestamp, and body. The server then recomputes the Hmac using a shared secret and compares it with the header. If the server uses the request’s Host header or an origin value that can be changed via DNS rebinding after the initial handshake, an attacker may cause the server to treat a malicious domain as the expected service endpoint.

Consider a Feathersjs API that expects requests with an X-Api-Signature generated over a canonical string. If the client first resolves example.com to a benign IP, then the attacker forces the browser to switch to a malicious IP (via a short TTL and a second DNS response), the server’s host-based validation may still consider the request legitimate because it only verifies the Hmac without confirming the resolved IP or hostname against an allowlist. This mismatch between the initial DNS resolution and the subsequent IP can bypass host-based restrictions and lead to unauthorized actions, such as invoking unintended services or leaking internal data through the same Hmac-based authentication path.

Moreover, if Feathersjs services are behind a load balancer or proxy that forwards requests based on the Host header, and that header can be influenced by the rebinding step, the Hmac verification may incorrectly validate requests that should be tied to a specific network endpoint. The core issue is that Hmac Signatures protect integrity and authenticity of the message, but they do not inherently bind the computation to a specific network location unless the implementation explicitly includes the resolved IP or a pinned hostname in the signed payload.

To detect this with middleBrick, you can scan your Feathersjs endpoint. The scanner runs black-box checks including Input Validation and Authentication, and it will highlight whether host-based constraints are missing even when Hmac Signatures are used. middleBrick’s LLM/AI Security module also tests for subtle logic issues like these by probing authentication boundaries.

Remediation focuses on ensuring that the Hmac verification context includes a stable, attacker-independent identifier for the expected endpoint. Do not rely solely on the Host header or origin for authorization. Instead, pin the service identity (e.g., a fixed hostname or a certificate-bound identifier) and include it in the signed string or validate it before signature verification.

Below are concrete Feathersjs code examples that demonstrate a safer approach. The first example shows a middleware that validates Hmac Signatures while incorporating a pinned service identifier and rejecting requests where the resolved IP deviates from an allowlist.

const crypto = require('crypto');
const pinnedHostname = 'api.yourcompany.com';
const allowedIps = new Set(['192.0.2.1', '198.51.100.1']);

function verifyHmac(req, res, next) {
  const signature = req.headers['x-api-signature'];
  const timestamp = req.headers['x-timestamp'];
  const method = req.method;
  const path = req.path;
  const body = req.body;

  // Ensure the request targets the expected pinned hostname
  if (req.get('host') !== pinnedHostname) {
    return res.status(403).json({ message: 'Invalid host header' });
  }

  // Optionally validate resolved IP for additional binding (if available in context)
  const clientIp = req.connection?.remoteAddress;
  if (!allowedIps.has(clientIp)) {
    return res.status(403).json({ message: 'IP not allowed' });
  }

  const payload = `${method}\n${path}\n${timestamp}\n${JSON.stringify(body)}`;
  const expected = crypto.createHmac('sha256', process.env.HMAC_SECRET)
                         .update(payload)
                         .digest('hex');

  if (!crypto.timingSafeEqual(Buffer.from(signature || ''), Buffer.from(expected))) {
    return res.status(401).json({ message: 'Invalid signature' });
  }

  // Ensure timestamp is recent to prevent replay
  const now = Date.now();
  const reqTime = parseInt(timestamp, 10);
  if (Math.abs(now - reqTime) > 30000) {
    return res.status(400).json({ message: 'Timestamp out of window' });
  }

  next();
}

module.exports = verifyHmac;

In this example, the signed payload explicitly excludes the Host header and instead binds the verification to a pinned hostname and an allowed set of IPs. The timestamp check mitigates replay attacks. You can integrate this middleware into your Feathersjs service hooks to protect sensitive endpoints.

For broader protection, combine this with service-side host validation at the network or application level. If you use the middleBrick Pro plan, you can enable continuous monitoring to alert you if a scan detects missing host or IP binding in Hmac-secured endpoints. The GitHub Action can fail builds when risk scores drop below your configured threshold, helping you catch regressions early.

When using the CLI to verify your setup, run: middlebrick scan <your-api-url>. The dashboard lets you track these findings over time and map them to compliance frameworks such as OWASP API Top 10 and SOC2.