mitmweb isn't protected against DNS rebinding

[atx]

The mitmweb interface does not seem to include protection against DNS rebinding. This could be exploited by a malicious website to either access the sniffed data or run arbitrary Python scripts on the filesystem by setting the scripts config option.

I have hacked together a PoC here (nothing really special to be seen though).

[mhils]

Thanks for raising this. Any recommendations on how we can fix this best?

[atx]

I like the Jupyter implementation - effectively password protect the web interface, but pass an access token to your webbrowser.open call not to annoy the user too much. As a simpler alternative, you can implement Host header based whitelist (allowing localhost or IP address access by default).

[atx]

CVE-2018-14505 has been assigned to this issue

[mhils]

Thanks again - we've just released mitmproxy 4.0.4, which includes the fix from #3243. :)

[grztofdev]

@mhils Is it possible to turn it off and allow DNS rebinding?

[stellarpower]

Would also like to know if this can be disabled - my instance is behind a reverse proxy so I am presuming this is safe enough for what I need it for, and accessing it externally would be helpful.

[ananthb]

Yes would love for this to be configurable.

[DenisBalan]

As @Kriechi merged #3243 into the master.
Also mentioning @mhils @atx

Whats the problem having by default DnsBinding protection enabled,
but have this option configurable?

In our case, for internal usage purposes, we need to fork this repo and revert mentioned PR in order to fulfill our needs.

IMHO, thats not the best way to do that.
Just make secure by default, and configurable for those who knows what they are doing