24 Aug 2007
DNS Rebinding Nastiness
Most web app security holes arise from developers not taking care to protect against things like Cross-Site Scripting and Cross-Site Request Forgery. Those who are fully aware of the risks and take care with their code have generally been able to indulge in smug relaxation and tut with dismay as shoddier work gets taken advantage of.
But there are now exploits that developers can’t defend against, mostly based around DNS Rebinding (also known as Anti-DNS Pinning).
Basically, the attacker gets the victim to visit a page, then alters the DNS record to point to the same IP address as another site. The browser subsequently allows cross-domain access using the IP, meaning the malicious page can perform actions and grab data to be sent elsewhere (demo). Sites reachable via bare IP addresses are obviously vulnerable, including many intranets, router/modem admin interfaces, and web developers’ local servers.
Worse still, the attack can be extended to cover any site, not just those accessible via an IP address, as IE, Java and Flash allow HTTP headers to be manipulated without adequate safeguards. So by sending someone a link (or by slipping malicious markup into a site they visit anyway), it’s possible for an attacker to turn the victim’s browser into a useful network proxy. They could scan for interesting servers, grab some local data, wreak havoc with any web sites the user’s left themselves logged into, and even send email or comment spam from their machine. It’s all potentially rather nasty.