Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
.netcore5 request.Host.value bug or leak?
See original GitHub issueversion: .netcore5.1 I found a user can visit my site, event though my project only bind to port 9000 from local to router WAN(see img below). It shows that hacker can vist my site use port 80 and in the console make the request.Host.value shows it’s IP or HOST?
here is the .netcore source code I found in HostingRequestStartingLog.
private const string LogPreamble = "Request starting ";
_cachedToString = $"{LogPreamble}{request.Protocol} {request.Method} {request.Scheme}://{request.Host.Value}{request.PathBase.Value}{request.Path.Value}{request.QueryString.Value}
😢 5.188.210.227 is not my Server’s IP, and my project have nothing releate to php。
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Think of it like this. Your IP address is like your street address, the attacker walks up to your house, then takes out a letter addressed to someone else and puts it in your mailbox to see what happens. The first part is opening a connection, the address on the letter is the HTTP header fields. They’re separate making the connection, or walking to the house, that has already happened before you open your mailbox and see a mis-addressed envelope.
HTTP header fields are not use for TCP level routing, though they may be used if your server is behind a level 7 reverse proxy. In many cases the client is making a direct TCP connection to your server, or to your firewall which forwards all traffic on specific ports without reading it. The main purpose of the Host header is to disambiguate in the application if your server is hosting multiple sites on one IP & port. It should match the DNS Host value used to find your IP address, but it doesn’t have to.