Are node.js, express, socket.io, localhost on http, and alike ACTUALLY secure? [closed]

I use localhost for learning more coding, and I keep wondering the same question over and over again when I use Node.js:

Is it really safe?

Many, many people might have asked this. I would naturally want to put SSL HTTPS encryption on it, but there isn’t really anywhere you can get it, even if it may be a bit overkill.

It feels like there should and could be some "protection" or "encryption" type package for npm or something.

I haven’t used Node.js or localhost it for sensitive information, but should I be worrying about this?

Establish secure connection to localhost in Firefox

I have a Greenbone Security Assistant that has me connect to 127.0.0.1 port 9392, with the command:

sudo openvas-start firefox http://localhost:9392 

in Firefox. But before (and sometimes after) connecting, Firefox throws a lot of errors about insecure connection, and always highlights the better part of the URL in red. This also happens when connecting to localhost for, say, Autopsy. Is there any way I can establish a secure connection to localhost? Maybe from the terminal, in the firefox http://whateverURLforyourapp command?

How to prevent from DNS spoofing in Java code which obtains a name of localhost

FORTIFY static scan has detected that this piece of our java code is vulnerable to DNS spoofing attack:

public String getLocalhostName(){     try {         return Inet4Address.getLocalHost().getHostName();     } catch (UnknownHostException e) {         return null;     } } 

FORTIFY also gives these recommendations:

Recommendations:

You can increase confidence in a domain name lookup if you check to make sure that the host’s forward and backward DNS entries match. Attackers will not be able to spoof both the forward and the reverse DNS entries without controlling the nameservers for the target domain. This is not a foolproof approach however: attackers may be able to convince the domain registrar to turn over the domain to a malicious nameserver. Basing authentication on DNS entries is simply a risky proposition.

My questions are:

  1. Is getting the local host name really vulnerable to such an attack ? I can’t imagine such a scenario.
  2. How to implement this check in practice (in this code snippet)?

Tkank you.

Free EV on localhost

I’am doing some pen test on my localhost I was wondering if I could find a EV for localhost only. If you have an EV this is free juste for localhost It will be find. I know EV it’s expensive but I was wondering If I ask Digicert, Comodo or Cloudflare do they have SSL for Pentest.

Transfer requests for localhost zone on my bind DNS server

I use Debian stretch and Bind 9.10.3 as my DNS server.

Today I saw the following entry in my log file:

Apr 17 23:04:22 ns named[111]: client 45.83.65.112#48974 (localhost): transfer of 'localhost/IN': AXFR started (serial 2) Apr 17 23:04:22 ns named[111]: client 45.83.65.112#48974 (localhost): transfer of 'localhost/IN': AXFR ended 

The IP address belongs to zone dns-ops.arin.net. and whois points to INTERNET-RESEARCH-NET.

  1. Do I need to be concerned?
  2. Why do they transfer the localhost zone?
  3. Why is this transfer successful? (*)

(*) My config is largely the default Debian one. Importantly I have not modified the stock named.conf.default-zones file, i.e. no transfers should be allowed at all:

zone "localhost" {         type master;         file "/etc/bind/db.local"; }; 

Chrome: why is invalid certificate usage for resources loaded from localhost disabled?

In chrome there is a flag called: allow-insecure-localhost. As far as I can tell all it does is block localhost connection over tls if the certificate is self signed.

Why is this feature turned off by default? Does it affect regular users in any way (regular user = someone who is not developing something). Are there any serious cases of localhost connection being used malicious that could have been prevented by having this option enabled?

man-in-the-middle’d packets have bad and incorrect checksums on localhost, how to find the malware?

Am trying to fix a man-in-the-middle’d macOS Catalina machine. Have been viewing packets with tcpdump and noticed, on connecting to any web address, there are legit packet that gets sent to the DNS server… then… there are packets that get sent from 127.0.0.1:53482 (or some port) to 127.0.0.1:443 — the packet headers are labelled with incorrect checksum (cksum -> incorrect). Also, there are packets 127.0.0.1:62692 (or some other port) -> 127.0.0.1:32376 labelled bad checksum (bad udp cksum). And, again localhost, 127.0.0.1:5353 -> 224.0.0.251:5353 again with bad checksum (bad udp cksum). All this traffic is on the lo0 adapter.

Example of a man-in-the-middle incident on the machine:

Legit: Wiki article on different machine and different network Wiki article on man-in-the-middle'd machine

MITM: Wiki article on man-in-the-middle’d machine Wiki article on different machine and different network

Packet traces

Incorrect checksum destination 127.0.0.1:443 Incorrect checksum destination 127.0.0.1:443

Bad checksum destination 127.0.0.1:32376 Bad checksum destination 127.0.0.1:32376

Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353 Bad checksum source 127.0.0.1:5353 destination 224.0.0.251:5353

Attempts to find process:

sudo lsof -i sudo lsof -i

netstat netstat

My guess is this is related to some corruption with mDNSResponder? Welcoming and appreciate any tips or suggestions on how to solve.

Many thanks

OAuth native app without localhost redirect

Section 4.1 of RFC 8252 describes the OAuth authorization flow for native apps using the browser (i.e., external user-agent). In this flow, the native app receives the authorization code in step 4 by setting the redirect URI to the loopback IP. This, of course, requires the native app to open a port on the loopback interface and subjects us to attacks where other apps could get the authorization code (unless we use something like PKCE).

Our system is a client-server model where the clients are various custom command line tools with no real user interface. In our deployments, we can’t always guarantee that we will be able to open a port on the loopback (and we’d like to avoid the added security concerns that PKCE addresses). We would like to tweak the flow for our use case but want to make sure we aren’t leaving the door open for security issues. Here is the flow we’d like to use:

  1. Command line tool initiates intent to perform OAuth flow to Application Server.
  2. Application Server generates a random in progress session token and a separate random OAuth flow state value
  3. Application Server stores both values in the database together
  4. Application Server returns both values to the Command line tool
  5. Command line tool launches the external user-agent (e.g., browser) and starts the authentication process against the Authorization Server using the OAuth state value provided by the Application Server
  6. User authenticates
  7. Authorization Server redirects to the Application Server along with the state value
  8. Application Server retrieves authorization code and stores it in the database along with the in progress session token and OAuth state value
  9. Command line tool submits the in progress session token to the application server
  10. Application server retrieves the authorization code from the database and treats it as if the command line tool provided it

Outside of the potential for DoS abuse on submitting lots of OAuth initiations and the potential for the command line tool to initiate step 9 before the application server has completed step 8, are there other security issues to be concerned with?