What if I have a firewalled environment (yeah ok I don't believe in them, but some do), a rather open RD inside accessible from outside, and someone wants to probe a local device.
The attacker can simply[1] send a POST /.well-known/core to the RD with a fake source address, let the RD query the victim's .well-known/core and then read it via the RD.
Possible mitigation: ensure client aliveness. The Echo option provides that and is still easier to implement than POST when .well-known/core needs fragmentation. Would that still be simple enough?
[1]: I suppose well-behaved firewalls do source filtering, but what do I know of them
The text was updated successfully, but these errors were encountered:
Entering #233 led to a curious thought:
What if I have a firewalled environment (yeah ok I don't believe in them, but some do), a rather open RD inside accessible from outside, and someone wants to probe a local device.
The attacker can simply[1] send a POST /.well-known/core to the RD with a fake source address, let the RD query the victim's .well-known/core and then read it via the RD.
Possible mitigation: ensure client aliveness. The Echo option provides that and is still easier to implement than POST when .well-known/core needs fragmentation. Would that still be simple enough?
[1]: I suppose well-behaved firewalls do source filtering, but what do I know of them
The text was updated successfully, but these errors were encountered: