0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)

The Oligo Security blog disclosesa web-browser vulnerability that has been named "0.0.0.0 day". In short,browsers will allow JavaScript code to open connections to the all-zeroesIPv4 address; the result is that any port that is open on the local hostcan be accessed by a remote site. "When services use localhost, theyassume a constrained environment. This assumption, which can (as in thecase of this vulnerability) be faulty, results in insecure serverimplementations."