DNS Rebinding and DNS Pinning
Normally requests from code embedded in web pages (JavaScript, Java, Flash) are limited to the website they are originating from (same-origin policy). DNS rebinding attack can be used to improve ability of JavaScript based malware to penetrate private networks, subverting the same-origin policy.
The basis of this attack is old. It was described by the Princeton University in 1996.
For the attack to succeed the attacker needs to control the DNS entry for his web server (www.evil.com in the following example).
Attacking an intranet host located at 192.168.66.6 would roughly work like this:
- The victim downloads a malicious script from www.evil.com which is 66.66.66.66
- After the script has been downloaded, the attacker modifies the DNS answer for www.evil.com to 192.168.66.6
- The malicious script requests a web page from www.evil.com
- The web browser again does a DNS lookup request for www.evil.com, but now resolving to the intranet host at 192.168.66.6
- The web browser assumes that the domain values of the malicious script and the intranet server match, at therefore grants the script unlimited access to the intranet server. To prevent this type of attack, modern web browsers implement "DNS Pinning"
- DNS lookup results are kept unchanged for the entire browser session, even though the DNS entry’s lifetime may be shorter.
Links:
- Stanford’s DNS Rebinding Paper
- DNS: Spoofing and Pinning
- DNS Pinning Explained
- Does Firefox implement DNS Pinning?
- DNS Rebinding Revisited
- Circumventing DNS Pinning for XSS
- DNS Pinning Just Got Worse
- Defending Networks Against DNS Rebinding Attacks
- Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH
Random Posts
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment