HIGH zone transferhanamimutual tls

Zone Transfer in Hanami with Mutual Tls

Scan for zone transfer in hanami

Zone Transfer in Hanami with Mutual Tls — how this specific combination creates or exposes the vulnerability

A Zone Transfer in Hanami with Mutual Tls occurs when a DNS server configured for zone transfers inadvertently exposes DNS data despite the presence of Mutual Tls. In this setup, Mutual Tls is used to authenticate and encrypt communication, but if access controls around zone transfer requests are misconfigured, an authenticated TLS client may still be able to request and receive full zone data. middleBrick scans this unauthenticated attack surface and can detect whether zone transfer endpoints are reachable over TLS channels, even when client certificates are required.

Specifically, the vulnerability arises when the DNS server allows zone transfer requests (AXFR/IXFR) over a TLS-secured channel but does not properly restrict which Mutual Tls-authenticated clients can initiate transfers. An attacker with a valid client certificate—obtained through compromise or misissuance—can connect to the Hanami DNS service over Mutual Tls and trigger a zone transfer. Because the check is performed over TLS, network-based detection such as plain-text ACLs is ineffective, and the transfer may succeed silently, leaking internal hostnames, IPs, and service mappings.

middleBrick exercises 12 security checks in parallel, including Authentication, BOLA/IDOR, and Data Exposure, to surface findings like "Zone Transfer Allowed Over TLS" with severity and remediation guidance. Findings map to real-world risks such as information disclosure (CWE-200) and may intersect with frameworks like OWASP API Top 10 and GDPR. The scanner supports OpenAPI/Swagger spec analysis (2.0, 3.0, 3.1) with full $ref resolution, cross-referencing spec definitions with runtime behavior to confirm whether zone transfer operations are documented and appropriately constrained.

Mutual Tls-Specific Remediation in Hanami — concrete code fixes

To remediate Zone Transfer risks in Hanami when Mutual Tls is in use, tighten both DNS server configuration and Mutual Tls policy. Ensure that zone transfer is restricted to explicitly authorized client certificate subjects and that the DNS service does not serve zone data over TLS unless the request context is verified. The following code examples show concrete configurations and request handling patterns for Hanami applications.

1) Configure Mutual Tls and restrict zone transfer to specific certificate subjects

# Hanami service configuration (e.g., config/dns.rb) with Mutual Tls and zone transfer policy
tls = Hanami::Tls.new(
  verify_peer: true,
  client_certificate_required: true,
  trusted_ca_file: "/path/to/ca.pem"
)

zone_transfer_policy = {
  allowed_subjects: %w[CN=dns-admin.example.com CN=dns-backup.example.com],
  transfer_zone: "example.com"
}

# Apply policy to DNS endpoint
Hanami::Endpoints.dns = Hanami::Endpoint.define do
  use tls

  route do |r|
    r.on "transfer" do
      r.get do
        subject = env["ssl_peer_cert"].subject.to_s
        if zone_transfer_policy[:allowed_subjects].include?(subject)
          authorized_transfer(zone_transfer_policy[:transfer_zone])
        else
          halt 403, { error: "zone transfer not permitted" }.to_json
        end
      end
    end
  end
end

2) Validate client certificate details before processing AXFR/IXFR requests

# Verify certificate extensions and constraints in Hanami middleware
class MutualTlsZoneTransferGuard
  def initialize(app)
    @app = app
  end

  def call(env)
    cert = env["ssl_peer_cert"]
    unless cert.extensions.map(&:to_s).include?("1.3.6.1.5.5.7.1.24; critical")
      # Require the zone transfer specific extended key usage or custom extension
      return [403, { "Content-Type" => "application/json" }, [{ error: "insufficient privileges" }.to_json]]
    end
    @app.call(env)
  end
end

Hanami::Middleware.use MutualTlsZoneTransferGuard

3) Enforce per-request scope and logging for auditability

# Example scoped transfer with logging and rejection of wildcard requests
def authorized_transfer(zone)
  raise ArgumentError, "wildcard zone transfers not allowed" if zone.start_with?("*")
  # Trigger incremental IXFR logic scoped to zone
  records = dns_backend.ixfr(zone, from: last_serial(zone))
  Hanami::Logger.info(
    msg: "zone transfer",
    subject: env["ssl_peer_cert"].subject.to_s,
    zone: zone,
    records_count: records.size
  )
  { zone: zone, records: records }.to_json
end

These changes ensure that even when Mutual Tls is enforced, zone transfers are limited to explicitly permitted identities and operations. middleBrick can validate the remediation by re-scanning the endpoint and confirming that unauthorized zone transfer attempts over TLS are no longer successful, while still verifying that legitimate authenticated requests remain functional.

Scan for zone transfer in hanami Free API security scan

Frequently Asked Questions

Can middleBrick detect zone transfer exposure when Mutual Tls is used?
Yes. middleBrick scans the unauthenticated attack surface including TLS-secured endpoints and flags whether zone transfer mechanisms appear accessible, providing severity, findings, and remediation guidance.
Does middleBrick fix zone transfer or certificate issues found in Hanami?
No. middleBrick detects and reports findings with remediation guidance. It does not fix, patch, block, or remediate issues in your environment.

Related Pages

Zone Transfer in HanamiZone Transfer in HanamiZone Transfer with Mutual TlsLearn how misconfigured Mutual TLS can expose DNS zone‑transfer APIs and how to detect and fix the issue with middleBricZone Transfer in Hanami on DigitaloceanUnderstand zone transfer risks in Hanami on Digitalocean, with concrete remediation steps and Digitalocean API examples.Zone Transfer in Hanami on AwsUnderstand Zone Transfer risks in Hanami on AWS and apply concrete code fixes to prevent DNS-based information disclosurZone Transfer in Hanami on AzureLearn how Zone Transfer risks appear in Hanami on Azure and apply concrete Azure-specific fixes with code examples to reZone Transfer in Hanami on CloudflareZone transfer risks in Hanami with Cloudflare: causes, remediation, DNS hardening, and validation steps.Owasp Api Top 10: Zone Transfer in HanamiExplore OWASP API Top 10 zone transfer risks with Hanami—understand vulnerabilities and apply concrete Hanami code fixesHipaa: Zone Transfer in HanamiHIPAA considerations for DNS zone transfer in Hanami apps, with secure Hanami code examples and remediation guidance.Gdpr: Zone Transfer in HanamiExplore GDPR risks in DNS zone transfers with Hanami, including validation, logging, and transport security best practicNist: Zone Transfer in HanamiUnderstand how zone transfer in Hanami can expose NIST-relevant risks and apply concrete code fixes to enforce authorizaZone Transfer in Hanami with DynamodbZone transfer risks in Hanami with Dynamodb, including detection and remediation guidance.Zone Transfer in Hanami with CockroachdbUnderstand zone transfer risks in Hanami with CockroachDB, including detection and concrete remediation patterns for DNS