from Hacker News

0.0.0.0 Day: Exploiting Localhost APIs from the Browser

by supermatou on 8/7/24, 6:57 PM with 8 comments

by dytir on 8/7/24, 7:40 PM
This is not a zero day. The 0.0.0.0 bypass has been documented for a while now[1], including PNA bypass[2].
[1] https://github.com/nccgroup/singularity/wiki/Protection-Bypa...
[2] https://research.nccgroup.com/2023/04/27/state-of-dns-rebind...
by putlake on 8/8/24, 6:47 AM
As someone who runs nginx locally for web development, this is scary. One mitigation I can think of is to use this config for you Mac's local nginx:
```
  server {
    listen       80  default_server;
    server_name  _; # some invalid name that won't match anything
    return       444;
  }
```
And do the same thing for server_name localhost. For actual apps you are building, use a server_name like myapp.local rather than localhost. (edit: formatting)
by 3np on 8/8/24, 12:10 AM
The post includes some good remediation advice for application developers at the end.
As a user, an already available mitigation step is using uBlock Origin and enabling the prebundled "Block Outsider Intrusion into LAN" list. It's been an option for years and protects against this very vector (including 0.0.0.0).
That should give you an idea of how novel this finding is, BTW.
by outsidein on 8/7/24, 7:14 PM
Text reads like AI generated logorrhea