There is pretty much no legitimate reason that a site from the internet should access the local network.
The only exception I’ve seen to this is Synology having a NAS finder webapp where it searches your local network for a Synology device and tells you the IP address. But that’s a tiny niche use case and there are other ways of finding it that doesn’t involve a website (the device broadcasts its identity and has a hostname FFS). Any open source IP scanner will find it instantly, or in many networks you can just type in the hostname into your browser like a domain.
Being a network security specialist, I’ll ask these basic questions:
- what’s the universal definition of a private network?
- does this measure make sense in IPv6 within the global scope?
- is it the responsibility of the browser to secure against DNS rebinding?
My answers to these questions are:
- there is no universal definition, so this approach is doomed by design
- no
- heck, no; that’s the job of the webserver, by avoiding the so-called default virtual host. The
Host
/:authority
header should always be verified, and this is sufficient to counter all forms of DNS rebinding.
It’s about time, attackers can extract quite a bit of data about the local network via the browser. It’s pretty easy to identify appliances and home routers given someone stays on a site long enough.
I thought this was something that they already patched. Good on Google this time
deleted by creator