Audit: Binding to all interfaces detected with hardcoded values BAN-B104
Possible binding to all interfaces.
357 "--source_ip",
358 help="The source IPv4/IPv6 address to bind to.",
359 type=str,
360 default="0.0.0.0",361 )
362 parser.add_argument(
363 "--source-port", help="The source port to bind to.", type=int, default=54320Possible binding to all interfaces.
296 else:
297 stun_addr = (stun_host, stun_port)
298 # Determine the actual local, or source IP
299 if source_ip == "0.0.0.0":300 # IPv4
301 source_ip = get_internal_ipv4(stun_addr)
302 elif source_ip == "::":Possible binding to all interfaces.
254
255# Get the network topology, external IP, and external port
256def get_ip_info(
257 source_ip="0.0.0.0",258 source_port=54320,259 stun_host=None,260 stun_port=3478,261 include_internal=False,262 sock=None,263):
264 """Get information about the network topology, external IP, and external port.
265
Description
Binding to all network interfaces can potentially open up a service to traffic on unintended interfaces, that may not be properly documented or secured. This can be prevented by changing the code so it explicitly only allows access from localhost.
When binding to 0.0.0.0, you accept incoming connections from anywhere. During development, an application may have security vulnerabilities making it susceptible to SQL injections and other attacks. Therefore when the application is not ready for production, accepting connections from anywhere can be dangerous.
It is recommended to use 127.0.0.1 or local host during development phase. This prevents others from targeting your application and executing SQL injections against your project.
Bad practice
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0, 31137)) # Binding to all interfaces
Recommended
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 31137)) # Binding to local host
```
References:
- OWASP Top 10 2021 Category A05 - Security Misconfiguration