Fly Replay Attack

I need tenant isolation in my application, tenant’s have full control of their machines, and can in theory put secrets on them.

The current setup:

1. Server App
2. Tenant App

• On a custom private network
• has a flycast IP from the server App (Custom private networks · Fly Docs)

My question is can a tenant machine be written to respond with fly replay to get a request to run on another tenant’s machine ? Custom private networks · Fly Docs . Fly Replay seems to proxy to any application within the organization without needing any permissions. (Dynamic Request Routing with fly-replay · Fly Docs)

┌────────────────┬──────────────────────────────────────────────┐
│ Attack │ Result │
├────────────────┼──────────────────────────────────────────────┤
│ fly-replay │ BREACH — Fly Proxy replayed the request to │
│ injection │ pingpong despite our proxy stripping the │
│ │ header │
├────────────────┼──────────────────────────────────────────────┤
│ flycast direct │ PASS — blocked (DNS/routing isolated) │
│ probe │ │
├────────────────┼──────────────────────────────────────────────┤
│ DNS resolution │ PASS — blocked (no cross-network resolution) │
│ probe │ │
├────────────────┼──────────────────────────────────────────────┤
│ .fly.dev │ PASS — blocked │
│ bypass │ │
└────────────────┴──────────────────────────────────────────────┘

The critical finding: the fly-replay header from mallory’s response
caused Fly Proxy to replay the original request directly to
pingpong, bypassing the cloud-harness proxy entirely. Look at the
evidence in pingpong’s log:

• fly-replay-src: instance=xyz — that’s mallory’s machine
  ID
• fly-dispatch-start: … instance=abc — dispatched
  directly to pingpong
• The request path is /attack/replay — the original client request
  was replayed to pingpong

Fly replay can go across all apps in the org by default. Need org level isolation.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.