Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mitmweb isn't protected against DNS rebinding #3234

Closed
atx opened this issue Jul 1, 2018 · 13 comments
Closed

mitmweb isn't protected against DNS rebinding #3234

atx opened this issue Jul 1, 2018 · 13 comments

Comments

@atx
Copy link

atx commented Jul 1, 2018

The mitmweb interface does not seem to include protection against DNS rebinding. This could be exploited by a malicious website to either access the sniffed data or run arbitrary Python scripts on the filesystem by setting the scripts config option.

I have hacked together a PoC here (nothing really special to be seen though).

@kajojify kajojify added area/web kind/triage Unclassified issues labels Jul 1, 2018
@mhils
Copy link
Member

mhils commented Jul 2, 2018

Thanks for raising this. Any recommendations on how we can fix this best?

@mhils mhils added kind/bug and removed kind/triage Unclassified issues labels Jul 2, 2018
@atx
Copy link
Author

atx commented Jul 2, 2018

I like the Jupyter implementation - effectively password protect the web interface, but pass an access token to your webbrowser.open call not to annoy the user too much. As a simpler alternative, you can implement Host header based whitelist (allowing localhost or IP address access by default).

@atx
Copy link
Author

atx commented Jul 23, 2018

CVE-2018-14505 has been assigned to this issue

@mhils
Copy link
Member

mhils commented Jul 31, 2018

Thanks again - we've just released mitmproxy 4.0.4, which includes the fix from #3243. :)

@mhils mhils closed this as completed Jul 31, 2018
satyadeepk added a commit to satyadeepk/docker-mitmweb that referenced this issue Oct 17, 2018
@chrisooo3
Copy link

chrisooo3 commented Jul 7, 2021

@mhils Is it possible to turn it off and allow DNS rebinding?

@stellarpower
Copy link

Would also like to know if this can be disabled - my instance is behind a reverse proxy so I am presuming this is safe enough for what I need it for, and accessing it externally would be helpful.

@ananthb
Copy link

ananthb commented Jul 18, 2021

Yes would love for this to be configurable.

@DenisBalan
Copy link

As @Kriechi merged #3243 into the master.
Also mentioning @mhils @atx

Whats the problem having by default DnsBinding protection enabled,
but have this option configurable?

In our case, for internal usage purposes, we need to fork this repo and revert mentioned PR in order to fulfill our needs.

IMHO, thats not the best way to do that.
Just make secure by default, and configurable for those who knows what they are doing

@chrisbecke
Copy link

What the actual ...... ..... A day spent trying to figure out why a docker swarm Traefik router for mitmweb.example.com always returned 404.

@hoogi91
Copy link

hoogi91 commented Nov 24, 2022

@chrisbecke regarding traefik you need to disable passHostHeader see below example using compose - hope it helps you too :)

mitmproxy:
    image: mitmproxy/mitmproxy
    tty: true
    command: "mitmweb --web-host *"
    labels:
      - "traefik.http.services.mitmproxy.loadbalancer.server.port=8081"
      - "traefik.http.services.mitmproxy.loadbalancer.passHostHeader=false"

@chrisbecke
Copy link

chrisbecke commented Nov 25, 2022

@hoogi91, thanks for the tip.
Ive tried using a customrequestheader middleware to set host to 1.1.1.1 - but the web socket fails and leaves the GUI in a "connecting" state and it never updates.
Setting "passHostHeader" to false causes it to show "connection lost" immediately, so I don't know if this is better or worse :/

@hoogi91
Copy link

hoogi91 commented Nov 25, 2022

@chrisbecke ah sry, forgot to mention them too, you also need to add a middleware that drops some request headers to make the websocket work:

      - "traefik.http.routers.mitmproxy-https.middlewares=mitmproxy-header@docker"
      - "traefik.http.middlewares.mitmproxy-header.headers.isDevelopment=true"
      - "traefik.http.middlewares.mitmproxy-header.headers.customrequestheaders.Host="
      - "traefik.http.middlewares.mitmproxy-header.headers.customrequestheaders.Origin="

@SciLor
Copy link

SciLor commented Jan 1, 2023

Workaround for nginx-proxy-manager for the webinterface.

location / {
proxy_set_header Host localhost:$port;
proxy_set_header Origin http://localhost:$port;
proxy_pass $forward_scheme://$server:$port;

expires off;
proxy_http_version 1.1;
proxy_redirect $forward_scheme://$http_host:$port $forward_scheme://$http_host;
proxy_buffering off;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

11 participants