0.0.0.0 Day: Exploiting Localhost APIs from the Browser

This is not a zero day. The 0.0.0.0 bypass has been documented for a while now[1], including PNA bypass[2].<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;nccgroup&#x2F;singularity&#x2F;wiki&#x2F;Protection-Bypasses">https:&#x2F;&#x2F;github.com&#x2F;nccgroup&#x2F;singularity&#x2F;wiki&#x2F;Protection-Bypa...</a><p>[2] <a href="https:&#x2F;&#x2F;research.nccgroup.com&#x2F;2023&#x2F;04&#x2F;27&#x2F;state-of-dns-rebinding-in-2023&#x2F;" rel="nofollow">https:&#x2F;&#x2F;research.nccgroup.com&#x2F;2023&#x2F;04&#x2F;27&#x2F;state-of-dns-rebind...</a>

As someone who runs nginx locally for web development, this is scary. One mitigation I can think of is to use this config for you Mac&#x27;s local nginx:<p><pre><code> server { listen 80 default_server; server_name _; # some invalid name that won&#x27;t match anything return 444; } </code></pre> And do the same thing for server_name localhost. For actual apps you are building, use a server_name like myapp.local rather than localhost. (edit: formatting)

The post includes some good remediation advice for application developers at the end.<p>As a user, an already available mitigation step is using uBlock Origin and enabling the prebundled &quot;Block Outsider Intrusion into LAN&quot; list. It&#x27;s been an option for years and protects against this very vector (including 0.0.0.0).<p>That should give you an idea of how novel this finding is, BTW.

Text reads like AI generated logorrhea