DIRECT IP ACCESS ALLOWED

kavinkumar

Hello team..!
Im kavinkumar a bug bounty researcher and an student i have found an critical vulnerability in your site

Bug😃IRECT IP ACCESS ALLOWED
I have found the the origin ip using the SHODAN extension
34.111.242.115

And I have also found that https://34.111.242.115/signin serves as an insecure login page

Impact:
Increased Risk of DDoS: Allowing direct IP access can make systems more susceptible to Distributed Denial of Service (DDoS) attacks, where attackers flood the network with traffic, causing it to become overwhelmed and inaccessible.
Lack of Load Balancing: Direct IP access bypasses load balancers, leading to uneven distribution of traffic. This can result in some servers being overwhelmed while others are underutilized.
IP Spoofing: Attackers can use IP spoofing techniques to disguise their IP address and gain access to the system, making it difficult to track and block malicious activities.

<moderator clipped image showing QR code login tag>

Mitigation:
I'll recommend you to use an securable WEB APPLICATION FIREWALL

Use Firewalls and Security Groups
Restrict Access: Implement firewalls and security groups to restrict access to specific IP addresses or ranges. Only allow access from trusted IPs, and block all others.
Network Segmentation: Use network segmentation to isolate critical systems from direct public access. Place sensitive systems behind firewalls, making them accessible only through secure, authenticated channels.

Implement Load Balancers
Abstract IP Addresses: Use load balancers to manage traffic and abstract the underlying IP addresses from users. This ensures that users do not directly access the server’s IP addresses.
Distribute Traffic: Load balancers can distribute incoming traffic across multiple servers, reducing the risk of overload and improving redundancy.
Use VPNs and Secure Access Channels
VPN Gateways: Require remote users to connect through a Virtual Private Network (VPN) before accessing internal systems. This adds a layer of security by encrypting traffic and authenticating users.
TLS/SSL Encryption: Ensure that all connections use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt data in transit, preventing interception by attackers.
Employ Intrusion Detection and Prevention Systems (IDPS)
Monitor Traffic: Deploy Intrusion Detection and Prevention Systems to monitor traffic for suspicious activities. These systems can detect and block attacks like brute force attempts, IP spoofing, and DDoS attacks.
Anomaly Detection: Implement anomaly detection to identify and respond to unusual traffic patterns, such as spikes that could indicate a DDoS attack.

z64

Hi @kavinkumar ,

Thank you for your interest in keeping Kagi secure; however, this is not direct IP access; this is an IP of an anycast load balancer.

kavinkumar

But eventhough this is an anycast load balancer's ip address,the things that are accessed by the domain are also accessed by using this ip,the things like bruteforce,ratelimit bypass can also be performed,in this case this is vulnerable right?

z64

No, access via this IP still goes through all of our intermediate security layers. This is the "edge" of our service, it is not bypassing anything.

kavinkumar

But accessing the domain via ip address instead of domain name can have several impacts like:

Bypassing DNS Resolution
No DNS Lookup: When you access a website using its IP address, the Domain Name System (DNS) is bypassed. DNS is responsible for translating domain names (like example.com) into IP addresses. By using the IP address directly, the browser doesn’t need to perform this lookup.
Potential for Connection Issues
Virtual Hosts: Many websites are hosted on servers that use virtual hosting, where multiple domains are served from the same IP address. The server differentiates between the sites based on the requested domain name (via the Host header in HTTP requests). If you access the server directly via IP, it may not know which site you want to visit, leading to errors or serving the wrong site.
SSL/TLS Certificates: SSL/TLS certificates are typically issued for domain names, not IP addresses. If you try to access a site over HTTPS using its IP address, you may encounter a certificate mismatch warning, as the certificate won’t match the IP.
Access Restrictions
Firewall and Security Rules: Some websites or networks are configured to restrict access by IP or may only allow access via the domain name. Direct IP access might be blocked or result in limited functionality.
Geo-Restrictions: Some websites apply geo-restrictions based on domain name rather than IP. Bypassing this by using an IP address might circumvent these restrictions, though it’s not always guaranteed.
Branding and SEO
No Branding: Using an IP address eliminates the branding associated with a domain name, which can make the site look less professional or trustworthy.
SEO Implications: Search engines rank domain names, not IP addresses. Accessing a site via its IP address will not help in search engine optimization (SEO) and can also lead to duplicate content issues if search engines index both the domain and IP versions.
Email and Other Services
Email Services: Domain names are often tied to email services (e.g., @example.com). Accessing the IP address won't give you access to related services like email, which are typically configured using domain names and DNS records (like MX records).
Load Balancing and CDNs
Load Balancing: Large websites often use load balancers or content delivery networks (CDNs) to distribute traffic. The IP address you access may be for a load balancer or CDN node, not the actual server hosting the website. Bypassing the domain name could lead to incorrect routing or suboptimal performance.
Geo-IP Routing: CDNs use domain names to route users to the closest server. Accessing via IP can bypass this optimization, potentially resulting in slower load times.

mhitza

That's a lot of content with general information about what DNS is, are you using an LLM to generate the report a la https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/ ?

I'm unrelated to the Kagi team, but found the report and conversation very similar to my above link.

kavinkumar

No,I don't use any automated things to generate my report

fxgn

kavinkumar sure you don't, is that why all of your messages are written with grammatical mistakes and no punctuation, but those mistakes suddenly disappear when it's a long list that looks suspiciously like an LLM response for "why is direct IP access dangerous"?

fxgn

In fact, you are very obviously using an LLM without even understanding it's response, since all of the points you listed are nonsense.

Bypassing DNS Resolution

So what? Why would that ever be an issue?

Virtual Hosts

Yes, but that's clearly not the case here? You can access the page by the load balancer IP, that means it's not under a reverse proxy that matches on the domain name?

SSL/TLS

Yeah, that's the only potentially real issue here, but the browser literally warns you about that, and it's an issue for the user, not for Kagi. I don't think a random user would just stumble across the IP address and decide to perform an insecure login.

Access Restrictions

z64 specifically said that all of the traffic from this IP goes through the same security pipeline

Branding and SEO
Email and Other Services

You know there still is a domain, right?

Load Balancing

Yeah, it's a load balancer, why would this make the performance worse

You're clearly just trying to use ChatGPT to pretend like you know something and you found a vulnerability, while it seems like you don't even know how domain names and IPs work.