Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I be sure my Java web app running on localhost:8080 is invisible from my fellow Starbucks customers?

I'm developing a Spring application on my Windows 7 machine and running it on localhost:8080.

Is there any chance that if I do this in a public location like Starbucks that it is possible for my app to be visible to others?

(I'm using Windows Firewall and Microsoft Security Essentials)

like image 522
Maximus Avatar asked Dec 02 '22 03:12

Maximus


2 Answers

Be sure that it is binding to localhost:8080 (i.e., 127.0.0.1), not all interfaces (which is probably the default). Server programs usually have an option to say which IP addresses to bind. For example, in Apache, you can provide an IP address to the Listen directive in addition to a port number. If you only bind to 127.0.0.1, the port will not be open for people scanning your external IP address.

like image 94
Jeremiah Willcock Avatar answered Dec 18 '22 21:12

Jeremiah Willcock


Short answer: No.

Long answer: Someone might access your app like this:

If you visit a malicious website (if anyone at Starbucks is poisoning the DNS cache or spoofing DNS responses then you may visit a malicious website at www.google.com not knowing about it) then the attacker may send you to his domain with a DNS server (which may in fact be on his laptop) replying to the same query with very short TTL once with his IP, then with 127.0.0.1, then his IP again, etc. That way when you are sent to (http://www.example.com:8080) it is resolved as the attacker's IP and you get the website which starts an AJAX request to the same domain and the same port (so the same origin policy is satisfied in every browser) but thanks to the short TTL you don't have the domain entry in your cache any more, so you ask again and this time you get the answer 127.0.0.1 which incidentally is your own loopback interface which you assume to be invisible from the outside - and it is in fact invisible from the outside but perfectly visible from your browser. Your browser will happily connect to your app at 127.0.0.1:8080 and proxy the request to the attacker with another AJAX connection or any other side channel. Voilà, your app is now connected to the world!

Things like this happen in the wild so be careful. Sometimes people even access admin interfaces in routers behind NAT and firewalls that way. Quite frankly I'm pretty scared by all of the responses telling you that it is impossible to access anything running on localhost. Be careful what you do.

like image 26
Zed Avatar answered Dec 18 '22 19:12

Zed