2

i have a unsecured and out of date application running inside a docker container bound on the host device loopback interface that is only accessed by other applications running on that device, am i right in thinking this would provide an adequate level of security so that nothing external to the box would be able to access the application or know that it is even there? my thinking is you would need access to the device before you could ever get access to the application at which point you have bigger problems.

From my interpretation of this post it may be possible to blindly submit requests to it without receiving a response if you were directly connected to the device (or maybe not as loopback device has no mac address) but that is the only possible downside i have found to relying on the loopback interface to secure something and as it's a HTTP application which would run over TCP this post seems to suggest even that is not possible.

Snipzwolf
  • 123
  • 2

1 Answers1

1

In general binding to localhost can provide a level of security in that the application is not generally reachable from other processes unless they run on the same system.

How much practical security that provides you somewhat depends on the security of any other applications running on the host.

For example an SSRF vulnerability in another application could lead to an attacker being able to submit requests to your application. Whilst in many cases this would have to be done blind, I have seen examples of SSRF which allow the attacker to see responses to request made.

Obviously also if there are vulnerabilities on other applications running on the host (e.g. command injection/SQLi) then that'd likely be bad as the attacker may be able to get access to the localhost interface to send requests.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217