Zone Transfer in Hanami with Bearer Tokens
Zone Transfer in Hanami with Bearer Tokens — how this specific combination creates or exposes the vulnerability
Zone transfer in Hanami refers to the risk where internal DNS zone data is unintentionally exposed through an API endpoint. When an API uses Bearer Tokens for authorization but does not enforce strict scope and validation, an attacker who obtains or guesses a token may leverage it to trigger a zone transfer or access DNS-related endpoints that should be restricted. This combination becomes critical when token validation is weak, scopes are overly broad, or endpoints do not re-check authorization for secondary operations like DNS queries.
Hanami APIs often expose administrative or diagnostic routes that interact with backend services, including DNS tooling. If these routes rely solely on Bearer Token presence without verifying token scope, role, or context, an authenticated user may perform actions such as initiating zone transfers, querying internal records, or enumerating network paths. For example, a token issued for general API access might still allow calls to internal endpoints because the API does not differentiate between read-only scopes and administrative actions. This misalignment between token granularity and endpoint behavior can expose zone transfer functionality to unauthorized users.
In practice, this vulnerability manifests when an API endpoint accepts a Bearer Token and then forwards requests to an internal DNS service without additional authorization checks. The token itself becomes a proxy for higher privileges than intended. Attackers may probe endpoints like /internal/dns/zone or leverage SSRF techniques combined with token possession to trigger zone transfers, revealing internal hostnames, IP ranges, and infrastructure details. Because the scan includes Authorization testing, middleBrick flags cases where a Bearer Token grants access to administrative or DNS-related operations that should be restricted to specific service accounts or scopes.
Real-world attack patterns tied to this issue include token leakage via logs or client-side storage, token replay across services, and exploitation of overly permissive scopes. MiddleBrick’s 12 security checks run in parallel, including Authentication, BOLA/IDOR, and Property Authorization, to detect whether Bearer Token usage inadvertently permits zone transfer–type actions. Findings typically highlight missing scope validation, missing context checks, and insufficient separation between user-level and administrative operations. Remediation focuses on tightening token validation, narrowing scopes, and ensuring that DNS-related endpoints enforce explicit authorization beyond Bearer Token presence.
Bearer Tokens-Specific Remediation in Hanami — concrete code fixes
Remediation centers on ensuring Bearer Tokens are treated as scoped credentials and that each endpoint validates scope, role, and context before allowing sensitive operations like zone transfers. Avoid relying on token presence alone; instead, enforce that tokens carry minimal required permissions and that endpoints double-check authorization for administrative actions.
Example: A Hanami endpoint that queries DNS should validate scope before proceeding. Below is a secure pattern using a token introspection helper and scope checks.
module HanamiTokens
class ValidateBearerToken
def initialize(request_headers)
@headers = request_headers
end
def authorized_for?(required_scope)
token = extract_token
return false unless token
introspection = introspect_token(token)
return false unless introspection[:active]
(introspection[:scopes] & [required_scope]).any?
end
private
def extract_token
auth_header = @headers['Authorization']
return nil unless auth_header&.start_with?('Bearer ')
auth_header.split(' ').last
end
def introspect_token(token)
# Replace with your OAuth introspection endpoint or JWT validation logic
# Example response: { active: true, scopes: ['dns:read'] }
{ active: true, scopes: ['dns:read'] }
end
end
end
# In your Hanami action
post '/internal/dns/zone' do
validator = HanamiTokens::ValidateBearerToken.new(request.env)
unless validator.authorized_for?('dns:zone_transfer')
halt 403, { error: 'insufficient_scope', message: 'Token lacks dns:zone_transfer scope' }.to_json
end
# Proceed with zone transfer logic only if authorized
zone_data = DnsService.new.transfer_zone(params[:domain])
{ zone: zone_data }.to_json
end
Example: A token issued for read-only DNS queries should not be allowed to trigger zone transfers. Use scope lists to differentiate operations and enforce scope checks at the action level. For administrative endpoints, require a dedicated scope such as dns:zone_transfer and validate it explicitly.
module HanamiTokens
class ScopedTokenGuard
def self.require_scope(env, scope)
token = extract(env)
return false unless token
# Validate via introspection or JWT claims
claims = decode_jwt(token) # { 'scope' => 'dns:read' } or array of scopes
Array(claims['scope']).include?(scope)
end
def self.extract(env)
auth = env['HTTP_AUTHORIZATION']
auth&.gsub('Bearer ', '')
end
def self.decode_jwt(token)
# Use your JWT library; return claims hash
{ 'scope' => ['dns:read'] }
end
end
end
# Enforcement in action
get '/internal/dns/records/:domain' do
halt 403 unless ScopedTokenGuard.require_scope(env, 'dns:read')
DnsService.new.records(params[:domain])
end
post '/internal/dns/zone' do
halt 403 unless ScopedTokenGuard.require_scope(env, 'dns:zone_transfer')
DnsService.new.transfer_zone(params[:domain])
end
Additionally, ensure that Bearer Tokens are issued with least-privilege scopes by your authorization server and that token revocation and short lifetimes are enforced. MiddleBrick’s Pro plan supports continuous monitoring and GitHub Action integration to detect when endpoints allow operations that exceed token scope, helping you catch misconfigurations before they are exploited.