[RESOLVED] NAT Pinning rule question

Discussions about the Application Boundaries Enforcer (ABE) module
barbaz
Senior Member
Posts: 8789
Joined: Sat Aug 03, 2013 5:45 pm

[RESOLVED] NAT Pinning rule question

Post by barbaz » Fri Sep 21, 2018 2:51 pm

I would like to try out Icedove-UXP, but the ABE NAT Pinning Rule is blocking the download links - https://wiki.hyperbola.info/doku.php?id ... cedove-uxp

If I add exception for this, will I be vulnerable to NAT pinning?
*Always* check the changelogs BEFORE updating that important software!

User avatar
Giorgio Maone
Site Admin
Posts: 8651
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NAT Pinning rule question

Post by Giorgio Maone » Fri Sep 21, 2018 10:54 pm

What does your exception look like?

barbaz
Senior Member
Posts: 8789
Joined: Sat Aug 03, 2013 5:45 pm

Re: NAT Pinning rule question

Post by barbaz » Sat Sep 22, 2018 12:24 am

I haven't added one, but if I did I would probably try this -

Code: Select all

Site https://repo.hyperbola.info:50000/* https://git.hyperbola.info:50100/*
Accept from ^https://(?:[^/:]+\.)?hyperbola\.info[/:]
*Always* check the changelogs BEFORE updating that important software!

User avatar
Giorgio Maone
Site Admin
Posts: 8651
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NAT Pinning rule question

Post by Giorgio Maone » Sat Sep 22, 2018 6:13 am

barbaz wrote:I haven't added one, but if I did I would probably try this -

Code: Select all

Site https://repo.hyperbola.info:50000/* https://git.hyperbola.info:50100/*
Accept from ^https://(?:[^/:]+\.)?hyperbola\.info[/:]
That's perfectly fine: it's specific enough, and uses https, so it couldn't be used for rebinding unless the attacker owns a valid hyperbola.info certificate, which would be a bigger trouble opening for much easier attacks.

barbaz
Senior Member
Posts: 8789
Joined: Sat Aug 03, 2013 5:45 pm

Re: NAT Pinning rule question

Post by barbaz » Sat Sep 22, 2018 1:04 pm

Cool. Thanks Giorgio! Image
*Always* check the changelogs BEFORE updating that important software!

Post Reply