Background

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, please protect it from the outside world yourself”. The reason is that, basically, 99.99% of the Redis use cases are inside a sandboxed environment.

I read "How to steal any developer's local database" a while back on Hacker News, and thought it might be a fun project to try out with BugReplay . In the process I’ve learned how powerful DNS rebinding can be as a method of attack and the kind of damage that can be done. This article is an attempt to build on previous works and demonstrate the techniques involved.When you look at typical authorization mechanisms,the most basic is restricting the ability to access the resource. For example, you probably spend more time making sure people can't steal or mess around with your laptop than crafting the ultimate password for it. In the case of networked software, access restrictions at the network or server layer (ie above the client software layer) are the most important part to secure and are often sufficient. Having a password for your SQL database is important, but security-wise it is way more important that it isn't open to connections from the internet.Redis has unusually few security features for a database that has seen such wide adoption, even for software designed to run on secured servers. There are no access levels; any connecting user can execute system commands like FLUSHALL or DEBUG SEGFAULT . From antirez , the original developer of Redis:That may have been true at the time of writing, but nowadays a whole lot of people are running Redis locally, listening on the default port. That is very far from sandboxed.. it's more like a sewer. Unlike a typical remote server, your personal computer typically is used for browsing the web with a JavaScript enabled browser.Server Side Request Forgery (SSRF) is a method of tricking a vulnerable server into sending out malicious requests that you've crafted to services that you can not access directly. Say you were probing Facebook's open graph page debugger . If you were testing it for SSRF possibilities, the input box (or the api endpoint it is posting to) would be your attack vector. Maybe you would start by plugging in 127.0.0.1 or whatsmyip.org and seeing what data is exposed.When you're browsing the web, your browser is virtually as open as that URL input box to any website you visit. Any resource you load, via img tag or script tag or xhr request is a network request originating from your IP address to the wider Internet. That means Redis, sitting there with its default configuration of binding to localhost port 6379 with no password 1 , is wide open to anyone on the internet.