[RESOLVED] NAT Pinning rule question

Discussions about the Application Boundaries Enforcer (ABE) module

[RESOLVED] NAT Pinning rule question

Postby barbaz » Fri Sep 21, 2018 2:51 pm

I would like to try out Icedove-UXP, but the ABE NAT Pinning Rule is blocking the download links - https://wiki.hyperbola.info/doku.php?id=en:project:icedove-uxp

If I add exception for this, will I be vulnerable to NAT pinning?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: NAT Pinning rule question

Postby Giorgio Maone » Fri Sep 21, 2018 10:54 pm

What does your exception look like?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8640
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: NAT Pinning rule question

Postby barbaz » Sat Sep 22, 2018 12:24 am

I haven't added one, but if I did I would probably try this -
Code: Select all
Site https://repo.hyperbola.info:50000/* https://git.hyperbola.info:50100/*
Accept from ^https://(?:[^/:]+\.)?hyperbola\.info[/:]
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm

Re: NAT Pinning rule question

Postby Giorgio Maone » Sat Sep 22, 2018 6:13 am

barbaz wrote:I haven't added one, but if I did I would probably try this -
Code: Select all
Site https://repo.hyperbola.info:50000/* https://git.hyperbola.info:50100/*
Accept from ^https://(?:[^/:]+\.)?hyperbola\.info[/:]

That's perfectly fine: it's specific enough, and uses https, so it couldn't be used for rebinding unless the attacker owns a valid hyperbola.info certificate, which would be a bigger trouble opening for much easier attacks.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8640
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: NAT Pinning rule question

Postby barbaz » Sat Sep 22, 2018 1:04 pm

Cool. Thanks Giorgio! Image
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 8724
Joined: Sat Aug 03, 2013 5:45 pm


Return to ABE

Who is online

Users browsing this forum: No registered users and 4 guests