--- title: "Rails 6 adds guard against DNS Rebinding attacks" description: "Rails 6 adds guard against DNS Rebinding attacks by whitelisting hosts via configuration" canonical_url: "https://www.bigbinary.com/blog/rails-6-adds-guard-against-dns-rebinding-attacks" markdown_url: "https://www.bigbinary.com/blog/rails-6-adds-guard-against-dns-rebinding-attacks.md" --- # Rails 6 adds guard against DNS Rebinding attacks Rails 6 adds guard against DNS Rebinding attacks by whitelisting hosts via configuration - Author: Midhun Krishna - Published: November 5, 2019 - Categories: Rails 6, Rails In a DNS Rebinding attack, a malicious webpage runs client-side script when it is loaded, to attack endpoints within a given network. ### What is DNS Rebinding attack? DNS Rebinding can be summarized as follows. - An unsuspecting victim is tricked into loading `rebinding.network` which is resolved by a DNS server controlled by a malicious entity. - Victims web browser sends a DNS query and gets the real IP address, say `24.56.78.99` of `http://rebinding.network`. This DNS server also sets a very short TTL value ( say 1 second ) on the response so that the client won't cache this response for long. - The script on this webpage cannot attack services running in local network due to CORS restrictions imposed by victims web browser. Instead it starts sending a suspicious POST request to `http://rebinding.network/setup/reboot` with a JSON payload `{params: factory-reset}`. - First few requests are indeed sent to `24.56.78.99` (real IP address), with the DNS info from the cache, but then the browser sends out a DNS query for `rebinding.network` when it observes that the cache has gone stale. - When the malicious DNS server gets the request for a second time, instead of responding with `24.56.78.99` (which is the real IP address of `rebinding.network`), it responds with `192.168.1.90`, an address at which, a poorly secured smart device runs. Using this exploit, an attacker is able to factory-reset a device which relied on security provided by local network. This attack is explained in much more detail [in this blog post](https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325). ### How does it affect Rails? Rails’s web console was particularly vulnerable to a Remote Code Execution (RCE) via a DNS Rebinding. [In this blog post](http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/), Ben Murphy goes into technical details of exploiting this vulnerability to open Calculator app (only works in OS X). ### How does Rails 6 mitigate DNS Rebinding? Rails mitigates DNS Rebinding attack by maintaining a whitelist of domains from which it can receive requests. This is achieved with a new [HostAuthorization](https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/host_authorization.rb) middleware. This middleware leverages the fact that HOST request header is [a forbidden header](https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name). ```ruby # taken from Rails documentation # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".*\.product\.com/" ``` In the above example, Rails would render a [blocked host template](https://github.com/rails/rails/blob/ee0d0b1220adda0ee48f67cc4340ff4d702f6ed9/actionpack/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb), if it receives requests from domains outside of above whitelist. In development environment, default whitelist includes `0.0.0.0/0, ::0` ([CIDR notations for IPv4 and IPv6 default routes](https://en.wikipedia.org/wiki/Default_route)) and `localhost`. For all other environments, config.hosts is empty and host header checks are not done. ## Links - [Human page](https://www.bigbinary.com/blog/rails-6-adds-guard-against-dns-rebinding-attacks)