Black Ops 2007: Dns Rebinding Attacks presented at BlueHat 2007

by Dan Kaminsky (IOActive),

Tags: Security

Summary : Part of the design of the web allows browsers to collect and render resources across security boundaries. This capability has a number of issues, but they've historically been mitigated with what's known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. However, scripts are not acquired from names; they come from addresses. As RSnake of ha.ckers.org and Dan Boneh of Stanford University have pointed out, so-called "DNS Rebinding" attacks can break the link between the names that are trusted, and the addresses that they were connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh's work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page.