Exadra37

Exadra37

Stealing Secrets from Developers Localhost Development using Websockets

I came across this article that have some disturbing facts about using websockets from javascript in the browser for port scanning your machine.

The author discovered this after reading another article about why Ebay is port scanning localhost via websockets.

So this made him wondering how far he could go, and he starts with this question:

This got me thinking. I know that popular JavaScript frameworks use websockets in development to automatically reload pages when content changes. Could a malicious website eaves-drop on that traffic, and find out when developers are saving their code?

The reality was slightly worse than I had thought.

And then finds this disturbing facts:

But what happens when the developer makes a typo? The webpack dev server helpfully tries to send a bunch of debugging and stack information to the developer’s screen, by way of its websocket connection.

Now things are getting juicy. We’ve got code snippets, paths to files, locations, all sorts of bits of useful info.

It gets even better if eventually the Dev accidentally typos on a line containing useful data:

Now we’ve got a copy of this developer’s AWS Dev credentials. Quick, fire up the bitcoin miners!

What are your thoughts on this? Did you ever imagine that this could get so far?

I really need to do a POC of attacking Phoenix WebSockets, because more I read about them, more concerned I get with using them.

Marked As Solved

chrismccord

chrismccord

Creator of Phoenix

Skimming the article, the author is using an external site that has js connect to localhost, right? If so, changing check_origin: false to check_origin: ["myapp.local"] in dev.exs with a host file entry would suffice to prevent another host from establishing a websocket connection to your local server.

11
Post #5

Also Liked

hauleth

hauleth

PSA: Do not use .local for your local development domain. It is reserved for mDNS and you should use .localhost which is currently reserved but unassigned to anything.

tangui

tangui

Also some protocols work in dev only when using .localhost. For instance WebAuthn requires TLS with the exception of the .localhost domain so that you don’t need to enable TLS in dev.

dimitarvp

dimitarvp

I did imagine it will go this far, yes. The insanity that is serving you code (JS) which your browser – which is essentially a small OS – executes almost without scrutiny, mandated that one day this will happen.

As excited as I am for some tech innovations – WebSockets included – we definitely need to get back to basics and even the drawing board for a lot of stuff.

But there’s no funding for that so I predict a lot of very embarrassing security incidents will keep happening for years to come.

Where Next?

Popular in Discussions Top

Jayshua
I recently came across the javascript library htmx. It reminded me a lot of liveview so I thought the community here might be interested....
New
arpan
Hello everyone :wave: Today I am very excited to announce a project that I have been working on for almost 3 months now. The project is...
New
chuck
Let me start by stating an assumption: Phoenix is a great approach to building REST APIs. There are many reasons for this, but I will ass...
New
WildYorkies
It seems that the more I read, the more I find Elixir users speaking about all the ways that Elixir is not good for x, y, and z use cases...
New
lorenzo
Hey everone! I created a prototype for my app using Nodejs for the api. But the framework I chose wasnt great (in general theresnt any g...
New
AlexMcConnell
The reason that Rails is as popular as it is is because it’s very easy for relatively inexperienced developers to get a lot of work done....
588 19568 166
New
IVR
Hi all, I’ve seen a number of related threads in the past, but I’d still be very curious to hear an up-to-date opinion on this topic. I...
New
New
RudManusachi
What configs will make sense to put to runtime.exs? – A bit of how I configure apps: I have generic configs in config/config.exs, dev...
New
chulkilee
Here are the list of HTTP client libraries/wrappers, and some thoughts on HTTP client in general. I’d like to hear from others how they w...
New

Other popular topics Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 53690 245
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36128 110
New

We're in Beta

About us Mission Statement