Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added functionality to stop request even if socket is closed #12

Merged
merged 2 commits into from
Apr 24, 2022
Merged

added functionality to stop request even if socket is closed #12

merged 2 commits into from
Apr 24, 2022

Conversation

jamesbyrne113
Copy link
Contributor

Why is this useful?

  • This prevents a url redirection attack where a malicious user redirects to a localhost port and identifies which ports are open or not

What happened before this?

  • Response would be ECONNREFUSED which lets a malicious user know that the port is closed.

An optional parameter has been created so that the feature can be turned on, default is that the feature is turned off

@jamesbyrne113 jamesbyrne113 force-pushed the ip-redirection-attack-prevention branch from dd1f4fe to d8307ca Compare March 29, 2022 16:37
@azu
Copy link
Owner

azu commented Mar 30, 2022
edited
Loading

Thanks for PR!

Can you create a test for this option?
(if possible)

stopUrlRedirectionAttack

I do not faimilar with this attack.
This behavior aim to stop port scan using URL redirection, so Its name will be like stopPortScanningByUrlRedirection?

azu
azu reviewed Mar 30, 2022
View reviewed changes
src/request-filtering-agent.ts Outdated
Comment on lines 129 to 130
if (host) {
if (net.isIP(host)) {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

if(host && net.isIP(host)) { ... }

I prefer to use &&

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated that, thanks!

@jamesbyrne113 jamesbyrne113 force-pushed the ip-redirection-attack-prevention branch from d8307ca to f4a2a4e Compare March 30, 2022 09:08
@jamesbyrne113
Copy link
Contributor Author

Thanks for PR!

Can you create a test for this option? (if possible)

stopUrlRedirectionAttack

I do not faimilar with this attack. This behavior aim to stop port scan using URL redirection, so Its name will be like stopPortScanningByUrlRedirection?

No problem! I've created the test for it and renamed the option field.

@jamesbyrne113 jamesbyrne113 force-pushed the ip-redirection-attack-prevention branch from f4a2a4e to 9c474c6 Compare March 30, 2022 09:10
@azu azu merged commit fe8d2b2 into azu:master Apr 24, 2022
@azu
Copy link
Owner

azu commented Apr 24, 2022

Thanks!

Sorry to delay. I've released https://github.com/azu/request-filtering-agent/releases/tag/v1.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azu azu azu left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jamesbyrne113 @azu