DNS Pinning
As described here:
- Practical Anti-DNS Pinning Writeup
- Circumventing DNS Pinning for XSS
- (somewhat) breaking the same-origin policy by undermining dns-pinning
- http://t3.dotgnu.info/blog/insecurity/dns-pinning-explored.html
This looks to me to be a much bigger problem that is seems (and is being acknowleged).
Basically to exploit DSN Pinning ‘all’ the attacker needs to do is to:
1) get the victim to open a page from www.atacker.com (the www.atacker.com DNS will give out two IPs: the first will be the real www.atacker.com IP and the 2nd will be the IP of the www.targetwebsite.com (which could be internal))
2) the attacker drops the www.atacker.com server (dinamic firewall rule or other) so that the victim’s browser will clear that DNS entry
3) the script loaded in the victim’s browser opens another page from www.atacker.com/target.html which will now be fetched not from www.atacker.com but from the IP of www.targetwebsite.com (and having access to it’s contents since from the browser point of view it is still the same website/DNS name).
As with CSRF, this means that most websites out there are vulnerable.
I actually want to do a bit more research on this since this is sounding too bad to be true. Hopefully there will be some variations that will reduce the exploitability (one for example will be that this will not work if the server is doing virtual DNS name mappings and doesn’t accept direct IP requests or requests from other domains)