Hacker News new | past | comments | ask | show | jobs | submit login

Ublock allows you to block websocket requests. eg.

    *$websocket
will block all websocket connections. You probably want to operate on a whitelist on a site by site basis. Blocking localhost or 127.0.0.1 isn't reliable because sites can use dns rebinding attacks to bypass your filters.



Thanks for this. Adding the string to uBlock Origin's "My Filters" tab worked perfect.

    *$websocket
Tested with https://websocketstest.com/


Ublock origin says it supports ABP filter rules which allow for whitelisting sites which seems like it should allow something approximating:

  ~site.com$websocket
  *,~site.com$websocket
However this seems like it's invalid syntax because switching your example to this opens all websocket use back up tested via https://websocketstest.com/


That is not valid ABP filter syntax. This is what you want:

    *$websocket,domain=~site1.com
For more than a single site:

    *$websocket,domain=~site1.com|site2.com|...
I would personally suggest people to just enable advanced user mode and create rules such as:

    * 127.0.0.1 * blocked
To block all request attempts to 127.0.0.1.


Thanks for the information and all that you do. I had found the linked section from UBO to https://help.eyeo.com/en/adblockplus/how-to-write-filters#el... and assumed that *$websocket was <all_domains><separator><rule> similar to how other filters seem to work but I haven't delved too deeply in the rule syntax. Appreciate the correction.


Correction:

    *$websocket,domain=~site1.com|~site2.com|~...


That helps one of the vectors, but you can scan with pure JS too: https://portswigger.net/research/exposing-intranets-with-rel...


This helps, but can't you also do this sort of scanning without websockets?


How? This appears to bypass NATs Network Address Translation) & Firewalls.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: