[RESOLVED] NAT Pinning rule question

Discussions about the Application Boundaries Enforcer (ABE) module
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

[RESOLVED] NAT Pinning rule question

Post by barbaz »

I would like to try out Icedove-UXP, but the ABE NAT Pinning Rule is blocking the download links - https://wiki.hyperbola.info/doku.php?id ... cedove-uxp

If I add exception for this, will I be vulnerable to NAT pinning?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NAT Pinning rule question

Post by Giorgio Maone »

What does your exception look like?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: NAT Pinning rule question

Post by barbaz »

I haven't added one, but if I did I would probably try this -

Code: Select all

Site https://repo.hyperbola.info:50000/* https://git.hyperbola.info:50100/*
Accept from ^https://(?:[^/:]+\.)?hyperbola\.info[/:]
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NAT Pinning rule question

Post by Giorgio Maone »

barbaz wrote:I haven't added one, but if I did I would probably try this -

Code: Select all

Site https://repo.hyperbola.info:50000/* https://git.hyperbola.info:50100/*
Accept from ^https://(?:[^/:]+\.)?hyperbola\.info[/:]
That's perfectly fine: it's specific enough, and uses https, so it couldn't be used for rebinding unless the attacker owns a valid hyperbola.info certificate, which would be a bigger trouble opening for much easier attacks.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: NAT Pinning rule question

Post by barbaz »

Cool. Thanks Giorgio! Image
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply