Disallow proxying to metadata by default #268
Comments
|
For more notes on security, see https://github.com/Rob--W/cors-anywhere/issues/152. In particular, what you're describing is covered by this comment:
CORS Anywhere doesn't support blocking by IP yet (or even blocking based on destination. By design it's an open proxy). Merely blocking the destination IP in the URL is not sufficient, because that can be circumvented by DNS (i.e. creating an |
|
This is helpful. I think you should highlight this on main README. I would definitely have closed this loophole sooner had I known. |
|
We actually don't run this proxy at all anymore but to clarify for others reading this, the whitelist does not solve this since it's the origin (not destination) whitelist. It would prevent an attack from a browser but an adversary would obviously not run the query from a browser. They would merely set the origin host to an accepted one and still hit the internal IP as the destination. |
We've been running CORS Anywhere in a Docker container on an EC2 instance for about a year. After going through the
flaws.cloudchallenges, I realized that we used to be vulnerable to this attack by not specifying a whitelist. At some point we started specifying a whitelist, but only because it seemed to be a good idea, not because I was aware of this attach.By the same token, anybody setting this up with the default parameters (none at all) is vulnerable to this attack. Unless I'm missing something, the defaults should prohibit user requests to proxy to
169.254.169.254, no?The documentation implies (to me)that the worst that can happen if you don't whitelist is you run an open proxy and perhaps run up your bandwidth bill:
The text was updated successfully, but these errors were encountered: