DNS Rebinding Nastiness

Most web app security holes arise from developers not taking care to protect against things like Cross-Site Scripting and Cross-Site Request Forgery. Those who are fully aware of the risks and take care with their code have generally been able to indulge in smug relaxation and tut with dismay as shoddier work gets taken advantage of.

But there are now exploits that developers can’t defend against, mostly based around DNS Rebinding (also known as Anti-DNS Pinning).

Basically, the attacker gets the victim to visit a page, then alters the DNS record to point to the same IP address as another site. The browser subsequently allows cross-domain access using the IP, meaning the malicious page can perform actions and grab data to be sent elsewhere (demo). Sites reachable via bare IP addresses are obviously vulnerable, including many intranets, router/modem admin interfaces, and web developers’ local servers.

Worse still, the attack can be extended to cover any site, not just those accessible via an IP address, as IE, Java and Flash allow HTTP headers to be manipulated without adequate safeguards. So by sending someone a link (or by slipping malicious markup into a site they visit anyway), it’s possible for an attacker to turn the victim’s browser into a useful network proxy. They could scan for interesting servers, grab some local data, wreak havoc with any web sites the user’s left themselves logged into, and even send email or comment spam from their machine. It’s all potentially rather nasty.

Nervous users can disable plugins and JavaScript, and network admins can forbid external domains from returning local IPs, but there’s no viable defence for public sites (beyond irritating users by aggressively expiring cookies, forcing logging in again for certain features, etc.), and it seems we can only hope for incremental improvements from browser/plugin authors. Luckily, mounting effective large-scale exploits currently requires knowledge of a fairly broad range of technologies, and the pay-off isn’t blatantly obvious, but I’m sure there’ll be targeted attacks and increasingly clever/scary demonstrations.

Fri 24th Aug 2007, 2:24pm GMT

Filed under: Client-side Coding, Security and Privacy, Server-side Coding, Web

---

Comments

Comments are now closed for this entry.