9 comments

[ 3.1 ms ] story [ 23.4 ms ] thread
Text reads like AI generated logorrhea
It's a pretty comprehensive article, with proofs-of-concept for several browsers, don't know why you got the impression it's junk.
I wouldn't say "junk" but there's a bit too much fluff and filler. The noise-to-signal is high which makes it tiresome to dig through to the meat.

E.g.

> Browsers—we’ve all got a favorite, and we all use them daily. Even non-browser applications often load resources from external domains, like when using Google Analytics and similar client-side SDKs or embedding scripts or videos.

> With the 0.0.0.0 Day vulnerability,, a single request can be enough to cause damage.

The repetitive "Oligo [Researchers] [discovered/found] ..." adds to this.

The post includes some good remediation advice for application developers at the end.

As a user, an already available mitigation step is using uBlock Origin and enabling the prebundled "Block Outsider Intrusion into LAN" list. It's been an option for years and protects against this very vector (including 0.0.0.0).

That should give you an idea of how novel this finding is, BTW.

As someone who runs nginx locally for web development, this is scary. One mitigation I can think of is to use this config for you Mac's local nginx:

  server {
    listen       80  default_server;
    server_name  _; # some invalid name that won't match anything
    return       444;
  }
And do the same thing for server_name localhost. For actual apps you are building, use a server_name like myapp.local rather than localhost. (edit: formatting)