Exadra37

Exadra37

Stealing Secrets from Developers Localhost Development using Websockets

I came across this article that have some disturbing facts about using websockets from javascript in the browser for port scanning your machine.

The author discovered this after reading another article about why Ebay is port scanning localhost via websockets.

So this made him wondering how far he could go, and he starts with this question:

This got me thinking. I know that popular JavaScript frameworks use websockets in development to automatically reload pages when content changes. Could a malicious website eaves-drop on that traffic, and find out when developers are saving their code?

The reality was slightly worse than I had thought.

And then finds this disturbing facts:

But what happens when the developer makes a typo? The webpack dev server helpfully tries to send a bunch of debugging and stack information to the developer’s screen, by way of its websocket connection.

Now things are getting juicy. We’ve got code snippets, paths to files, locations, all sorts of bits of useful info.

It gets even better if eventually the Dev accidentally typos on a line containing useful data:

Now we’ve got a copy of this developer’s AWS Dev credentials. Quick, fire up the bitcoin miners!

What are your thoughts on this? Did you ever imagine that this could get so far?

I really need to do a POC of attacking Phoenix WebSockets, because more I read about them, more concerned I get with using them.

Marked As Solved

chrismccord

chrismccord

Creator of Phoenix

Skimming the article, the author is using an external site that has js connect to localhost, right? If so, changing check_origin: false to check_origin: ["myapp.local"] in dev.exs with a host file entry would suffice to prevent another host from establishing a websocket connection to your local server.

11
Post #5

Also Liked

hauleth

hauleth

PSA: Do not use .local for your local development domain. It is reserved for mDNS and you should use .localhost which is currently reserved but unassigned to anything.

tangui

tangui

Also some protocols work in dev only when using .localhost. For instance WebAuthn requires TLS with the exception of the .localhost domain so that you don’t need to enable TLS in dev.

dimitarvp

dimitarvp

I did imagine it will go this far, yes. The insanity that is serving you code (JS) which your browser – which is essentially a small OS – executes almost without scrutiny, mandated that one day this will happen.

As excited as I am for some tech innovations – WebSockets included – we definitely need to get back to basics and even the drawing board for a lot of stuff.

But there’s no funding for that so I predict a lot of very embarrassing security incidents will keep happening for years to come.

Where Next?

Popular in Discussions Top

thojanssens1
It would be nice to be able to define a redirect from one route to another from the router.ex file. E.g.: redirect "/", UserController, ...
New
axelson
Decided against including more info in the title, but the gist is that Plataformatec sponsored projects will continue with the assets bei...
New
mmport80
I have put far too much effort into Dialyzer over the last year or so - and basically - I doubt it’s worth the effort. It’s not as easy ...
New
fireproofsocks
This is more of a general question, but I’m wondering how other people in the community think about the pattern matching in function sign...
New
WildYorkies
It seems that the more I read, the more I find Elixir users speaking about all the ways that Elixir is not good for x, y, and z use cases...
New
crispinb
On reading dhh’s latest The One Person Framework it strikes me that Phoenix with LiveView is already pretty much this. However, never hav...
New
fireproofsocks
I’ve been working on an Elixir project that has required a lot of scripting. I usually reach for Elixir because I like it more (and in th...
New
PragTob
Hey everyone, this has been brewing in my head some time and it came up again while reading Adopting Elixir. GenServers, supervisors et...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New

Other popular topics Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
hariharasudhan94
lets say i have a sample like a = 20; b = 10; if (a > b) do {:ok, "a"} end if (a < b) do {:ok, b} end if (a == b) do {:ok, "equa...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New

We're in Beta

About us Mission Statement