Topic
DNS rebinding
About: DNS rebinding is a research topic. Over the lifetime, 20 publications have been published within this topic receiving 579 citations.
Papers
28 Oct 2007
TL;DR: Two locked same-origin policies for web browsers are proposed, one of which can be deployed today and interoperate seamlessly with the vast majority of legacy web servers, and the other a simple incrementally deployable opt-in mechanism for legacy servers using policy files.
Abstract: We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain names, the locked same-origin policies enforce access using servers' X.509 certificates and public keys. We show how our policies help two existing web authentication mechanisms, client-side SSL and SSL-only cookies, resist both pharming and stronger active attacks. Also, we present a deployability analysis of our policies based on a study of 14651 SSL domains. Our results suggest one of our policies can be deployed today and interoperate seamlessly with the vast majority of legacy web servers. For our other policy, we present a simple incrementally deployable opt-in mechanism for legacy servers using policy files, and show how web sites can use policy files to support self-signed and untrusted certificates, shared subdomain objects, and key updates.
163 citations
TL;DR: Defenses to DNS rebinding attacks are analyzed, including improvements to the classic “DNS pinning,” and changes to browser plug-ins, firewalls, and Web servers are recommended.
Abstract: DNS rebinding attacks subvert the same-origin policy of browsers, converting them into open network proxies. Using DNS rebinding, an attacker can circumvent organizational and personal firewalls, send spam email, and defraud pay-per-click advertisers. We evaluate the cost effectiveness of mounting DNS rebinding attacks, finding that an attacker requires less than d100 to hijack 100,000 IP addresses. We analyze defenses to DNS rebinding attacks, including improvements to the classic “DNS pinning,” and recommend changes to browser plug-ins, firewalls, and Web servers. Our defenses have been adopted by plug-in vendors and by a number of open-source firewall implementations.
91 citations
27 Oct 2008
TL;DR: Omash is a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces and satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP.
Abstract: The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and full trust, where third-party content runs with the full privilege of the integrator. Furthermore, the SOP has its own set of security vulnerabilities and pitfalls, including Cross-Site Request Forgery, DNS rebinding and dynamic pharming. To overcome the unfortunate tradeoff between security and functionality forced upon today's mashup developers, we propose OMash, a simple abstraction that treats web pages as objects and allows objects to communicate only via their declared public interfaces. Since OMash does not rely on the SOP for controlling DOM access or cross-domain data exchange, it does not suffer from the SOP's vulnerabilities. We show that OMash satisfies the trust relationships desired by mashup authors and may be configured to be backward compatible with the SOP. We implemented a prototype of OMash using Mozilla Firefox 2.0 and demonstrated several proof-of-concept applications.
63 citations
7 Aug 2018
TL;DR: This paper presents two web-based attacks against local IoT devices that any malicious web page or third-party script can perform, even when the devices are behind NATs.
Abstract: In this paper, we present two web-based attacks against local IoT devices that any malicious web page or third-party script can perform, even when the devices are behind NATs. In our attack scenario, a victim visits the attacker's website, which contains a malicious script that communicates with IoT devices on the local network that have open HTTP servers. We show how the malicious script can circumvent the same-origin policy by exploiting error messages on the HTML5 MediaError interface or by carrying out DNS rebinding attacks. We demonstrate that the attacker can gather sensitive information from the devices (e.g., unique device identifiers and precise geolocation), track and profile the owners to serve ads, or control the devices by playing arbitrary videos and rebooting. We propose potential countermeasures to our attacks that users, browsers, DNS providers, and IoT vendors can implement.
56 citations
Patent•
31 Dec 2007TL;DR: In this paper, a computer-implemented method comprising detecting a resolution of an internet address to a first computing-device address, the internet address being associated with a first domain is presented.
Abstract: A computer-implemented method comprising detecting a resolution of an internet address to a first computing-device address, the internet address being associated with a first domain. The method may also comprise storing a domain-name record, the domain-name record associating the internet address with the first computing-device address. The method may comprise using the domain-name record to bind the first domain to the first computing-device address and preventing, until a request to leave the first domain is detected, the first domain from being rebound to a second computing-device address. Systems and computer-readable media for addressing DNS rebinding are also disclosed.
44 citations
Related Topics (5)
Performance Metrics
| Year | Papers |
|---|---|
| 2020 | 1 |
| 2019 | 2 |
| 2018 | 3 |
| 2016 | 1 |
| 2015 | 1 |
| 2013 | 3 |