0.0.0.0 is NOT localhost or 127.0.0.1

Posted Aug 16, 2024 9:28 UTC (Fri) by farnz (subscriber, #17727)
In reply to: 0.0.0.0 is NOT localhost or 127.0.0.1 by georg
Parent article: 0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)

In RFC960, it's hinted at under "Special Addresses:", where it says that all-zeroes means "this" as in "this network".

0.0.0.0 is NOT localhost or 127.0.0.1

Posted Aug 16, 2024 9:30 UTC (Fri) by georg (subscriber, #172475) [Link]

Interesting, thank you!

0.0.0.0 is NOT localhost or 127.0.0.1

Posted Aug 16, 2024 11:22 UTC (Fri) by excors (subscriber, #95769) [Link]

As far as I can see, RFC960 doesn't really say that. It says zero means "this network" "In certain contexts" (without specifying which contexts); it could mean other things in other contexts. And it's not talking about all-zeroes: it gives the example of "0.0.0.37 could be interpreted as meaning host 37 on this network", which I'd infer applies also to 0.37.37.37 and 0.0.37.37, as there's always 8/16/24 (but not 32) bits for the host number. I think that means 0.0.0.0 would be host 0 on this network, but nothing in RFC960 says host 0 is this host.

Nowadays https://www.iana.org/assignments/iana-ipv4-special-registry says much more clearly that 0.0.0.0/8 is "this network" (RFC791) and 0.0.0.0/32 is "this host on this network" (RFC1122, where it's referred to as "{ 0, 0 }"), though they're only valid when used as the source address of an IP packet, not as destination. (Network APIs might still let you send to 0.0.0.0 but since it's being handled purely locally, not going over actual IP, the IP RFCs don't apply and the APIs can do whatever they want.)