The mitmweb interface does not seem to include protection against DNS rebinding. This could be exploited by a malicious website to either access the sniffed data or run arbitrary Python scripts on the filesystem by setting the scripts config option.
I have hacked together a PoC here (nothing really special to be seen though).
Thanks for raising this. Any recommendations on how we can fix this best?
I like the Jupyter implementation - effectively password protect the web interface, but pass an access token to your webbrowser.open call not to annoy the user too much. As a simpler alternative, you can implement Host header based whitelist (allowing localhost or IP address access by default).
CVE-2018-14505 has been assigned to this issue
Thanks again - we've just released mitmproxy 4.0.4, which includes the fix from #3243. :)