SlideShare a Scribd company logo

DNS Rebinding Attack

Felipe Japm, profile picture
Felipe Japm

This document discusses DNS rebinding attacks and defenses against them. DNS rebinding works by resolving a domain name to the attacker's IP address for a short time, then rebinding it to the target's IP. This allows the attacker to circumvent the same-origin policy and run code on the target's machine. Experiments showed the attack could recruit over 30,000 browsers to a botnet without any user interaction using Flash. Defenses include smarter pinning in browsers, host name authorization, and policy-based approaches. Plug-ins also need to consult server policies before opening sockets.

Technology
1 of 23
Downloaded 169 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Protecting Browsers from DNS Rebinding Attacks Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh Felipe Mattosinho
Outline Introduction How DNS Rebinding Works DNS Rebinding Vulnerabilities Attacks using DNS Rebinding Defenses Against Rebinding Related Work
Introduction Browsers and DNS Caching Why Browsers cache the DNS? Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet Explorer TTL hold the valid time of a dns entry Browsers „should“ cache until TTL expires
Introduction Browsers Same Origin Policy Browser attempts to stop client-side script from different origin The policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password database Same origin means same protocol, domain name and port number Examples: Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
Introduction Browsers Same Origin Policy Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly. Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy. Prohibited Access: Internet Explorer 7: Firefox 2: Safari 2: FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not POP3 110, NNTP 119 POP3 110, NNTP 119 blocked IMAP 143 IMAP 143 + 51 additional ports
How DNS Rebinding Works Bob www.SE-ROCKS.com Win a car www.badguy.com ISP Malicious Javascript www.badguy.com : IP: 1.2.3.4 TTL 2s Alice
How DNS Rebinding Works Bob IP: 10.1.1.2 Javascript // Reconnect to www.badguy.com after 2s www.badguy.com : IP 10.1.1.3 Alice IP: 10.1.1.3
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Multiple A Records Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM. A Java applet, connects target and attacker web server. Time-Varying DNS In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL. After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Pinning in Current Browsers Browser pins host name to IP Address. Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec. Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/> FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Flash Player 9 Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%. Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML: [JBB+07]
Attacks using DNS Rebinding Attacks Firewall Circumvention Spidering the Intranet Compromising unpatched machines Abusing internal open services IP Hijacking Committing Click Fraud Sending Spam Defeating IP-based Authentication Framing clients
Attacks using DNS Rebinding Experiment: Recruiting Browsers DNS Rebinding was tested running a Flash Player 9 advertisement Two machines ran during three successive nights. The attacker ran: 1. A custom authoritative DNS server 2. A custom Flash player policy server 3. An Apache Web server hosting the advertisement The target ran an Apache Server to log successful attacks
Attacks using DNS Rebinding Experiment: Recruiting Browsers The attack needed no user click The attack results: [JBB+07] [JBB+07]
Attacks using DNS Rebinding Experiment: Recruiting Browsers Relevant numbers about the attack: 1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other). 2. The rebinding experiment ran on the 44,301(86.9%) impressions that reported Flash Player 9. 3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses. 4. The attack was less successfull on Mac Os.
Defenses Against Rebinding Fixing Firewall Circumvention Enterprise Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses. Use of dnswall to enforce policy. Consumer Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall. Software E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
Defenses Against Rebinding Fixing Plug-ins Flash Player A policy based only if obtained for the same IP address and same host name. Requesting policy before opening sockets to any port. Java The connect method is used to obtain a proxied socket connection to an external machine Java LiveConnect Removing multi-pin vulnerabilities by using the same cache as the browser.
Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Checking Host Header Accepting only expected Host headers. Finer-grained Origins Refine origin by adding information such as the server IP address or a public key. IP Addresses: It is robust however some applications may fail such as Gmail. Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Smarter Pinning Robustness X Security Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
Defenses Against Rebinding Fixing Browsers(Default-Deny Sockets) Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re-pin. Pinning Pitfalls Common Pin Database: Sharing the same database Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks. Document.domain
Defenses Against Rebinding Fixing Browsers(Default-Allow Sockets) Host Name Authorization „Honest Machines“ do not advertise host name controlled by attackers. [JBB+07] Policy mechanism steps: 1. Resolve the host name auth.ip.in-addr.arpa 2. Does the host name exists? 3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in- addr.arpa 4. Determine if the host name is authorized
Related Work Using Browsers as Bots Can be used for distributed denial of service attack Sender Policy Framework Stores policy information in DNS
References [1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer [2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt [3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System [4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing [5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same- origin.html Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on- dns.pinning.aspx, 2007
THANK YOU! QUESTIONS?!

More Related Content

PPTX
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
PDF
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
PDF
Cybersecurity Powerpoint Presentation Slides
SlideTeam
 
PPTX
OWASP SB -Threat modeling 101
Jozsef Ottucsak
 
PDF
Sql Injection and XSS
Mike Crabb
 
PPTX
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
PDF
SOC 2: Build Trust and Confidence
Schellman & Company
 
PDF
C# Game Server
lactrious
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
Cybersecurity Powerpoint Presentation Slides
SlideTeam
 
OWASP SB -Threat modeling 101
Jozsef Ottucsak
 
Sql Injection and XSS
Mike Crabb
 
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
SOC 2: Build Trust and Confidence
Schellman & Company
 
C# Game Server
lactrious
 

What's hot (20)

PDF
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
PDF
Comprehensive plans are in place to improve our institutional cyber security
JasonTrinhNguyenTruo
 
PPTX
Reverse proxies & Inconsistency
GreenD0g
 
PDF
Introduction to Linux Privilege Escalation Methods
Bishop Fox
 
PPT
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01
Sébastien GIORIA
 
PPTX
Cloud slide
Athulya K S
 
PDF
Cyber Domain Security
ICSA, LLC
 
PPTX
Sql injection
Nuruzzaman Milon
 
PPT
Encryption technology
Neha Bhambu
 
PPTX
Introduction ethical hacking
Vishal Kumar
 
PDF
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
PPT
Cyber Security-Foundation.ppt
ErAdityaSingh1
 
PDF
NIST Cyber Security Framework V1.1 - Infogram Poster
Mark Stafford
 
PPT
Network Security 1st Lecture
babak danyal
 
PPTX
Encryption
keith dias
 
PPTX
Stuxnet worm
sommerville-videos
 
PDF
Advanced Wi-Fi pentesting
Yunfei Yang
 
DOCX
Unit 2_Blacklisting & Whitelisting User Input in Python.docx
ChatanBawankar
 
PDF
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Comprehensive plans are in place to improve our institutional cyber security
JasonTrinhNguyenTruo
 
Reverse proxies & Inconsistency
GreenD0g
 
Introduction to Linux Privilege Escalation Methods
Bishop Fox
 
2010 02 09 Ms Tech Days Owasp Asvs Sgi V01
Sébastien GIORIA
 
Cloud slide
Athulya K S
 
Cyber Domain Security
ICSA, LLC
 
Sql injection
Nuruzzaman Milon
 
Encryption technology
Neha Bhambu
 
Introduction ethical hacking
Vishal Kumar
 
Lie to Me: Bypassing Modern Web Application Firewalls
Ivan Novikov
 
Cyber Security-Foundation.ppt
ErAdityaSingh1
 
NIST Cyber Security Framework V1.1 - Infogram Poster
Mark Stafford
 
Network Security 1st Lecture
babak danyal
 
Encryption
keith dias
 
Stuxnet worm
sommerville-videos
 
Advanced Wi-Fi pentesting
Yunfei Yang
 
Unit 2_Blacklisting & Whitelisting User Input in Python.docx
ChatanBawankar
 
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Ad

Similar to DNS Rebinding Attack (20)

DOCX
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
amrit47
 
PPT
Dmk Bo2 K7 Web
royans
 
PPT
Design Reviewing The Web
amiable_indian
 
PPT
Dmk bo2 k7_web
Dan Kaminsky
 
PPT
Zombilizing The Web Browser Via Flash Player 9
thaidn
 
PDF
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
PDF
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
PPT
Dmk bo2 k8_bh_fed
Dan Kaminsky
 
PDF
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
Luke Young
 
PDF
Active Https Cookie Stealing
SecurityTube.Net
 
PPS
Aditya - Hacking Client Side Insecurities - ClubHack2008
ClubHack
 
PDF
Xfocus xcon 2008_aks_oknock
ownerkhan
 
ZIP
DNS Cache Poisoning
Christiaan Ottow
 
PDF
OSINT for Attack and Defense
Andrew McNicol
 
PDF
Computer network (2)
NYversity
 
PDF
Hitbkl 2012
F _
 
PPTX
Infoblox - turning DNS from security target to security tool
Jisc
 
PDF
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
PDF
Day 2 Dns Cert 4a Cache Poisoning
vngundi
 
PDF
08 tcp-dns
pantu_1961
 
Protecting Browsers from DNS Rebinding AttacksCollin Jacks.docx
amrit47
 
Dmk Bo2 K7 Web
royans
 
Design Reviewing The Web
amiable_indian
 
Dmk bo2 k7_web
Dan Kaminsky
 
Zombilizing The Web Browser Via Flash Player 9
thaidn
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Network and DNS Vulnerabilities
n|u - The Open Security Community
 
Dmk bo2 k8_bh_fed
Dan Kaminsky
 
There's no place like 127.0.0.1 - Achieving "reliable" DNS rebinding in moder...
Luke Young
 
Active Https Cookie Stealing
SecurityTube.Net
 
Aditya - Hacking Client Side Insecurities - ClubHack2008
ClubHack
 
Xfocus xcon 2008_aks_oknock
ownerkhan
 
DNS Cache Poisoning
Christiaan Ottow
 
OSINT for Attack and Defense
Andrew McNicol
 
Computer network (2)
NYversity
 
Hitbkl 2012
F _
 
Infoblox - turning DNS from security target to security tool
Jisc
 
NotaCon 2011 - Networking for Pentesters
Rob Fuller
 
Day 2 Dns Cert 4a Cache Poisoning
vngundi
 
08 tcp-dns
pantu_1961
 
Ad

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Cloud computing and distributed systems.
kkkkkhan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

DNS Rebinding Attack

  • 1. Protecting Browsers from DNS Rebinding Attacks Collin Jackson , Adam Barth, Andrew Bortz, Weidong Shao, Dan Boneh Felipe Mattosinho
  • 2. Outline Introduction How DNS Rebinding Works DNS Rebinding Vulnerabilities Attacks using DNS Rebinding Defenses Against Rebinding Related Work
  • 3. Introduction Browsers and DNS Caching Why Browsers cache the DNS? Different browsers have different policies mechanism to cache. E.g : Firefox, Safari, Internet Explorer TTL hold the valid time of a dns entry Browsers „should“ cache until TTL expires
  • 4. Introduction Browsers Same Origin Policy Browser attempts to stop client-side script from different origin The policy applies to network access and browser state such as the DOM interface, cookies, cache, history, and the password database Same origin means same protocol, domain name and port number Examples: Wikipedia, http://en.wikipedia.org/wiki/Same_origin_policy
  • 5. Introduction Browsers Same Origin Policy Access Within same origin: Plug-ins such as Flash Player and Java can access network sockets directly. Access between different origins: Flash Player permits its movies to read back HTTP responses with a XML policy. Prohibited Access: Internet Explorer 7: Firefox 2: Safari 2: FTP 21 , SMTP 25, FTP 21 , SMTP 25, Ports are not POP3 110, NNTP 119 POP3 110, NNTP 119 blocked IMAP 143 IMAP 143 + 51 additional ports
  • 6. How DNS Rebinding Works Bob www.SE-ROCKS.com Win a car www.badguy.com ISP Malicious Javascript www.badguy.com : IP: 1.2.3.4 TTL 2s Alice
  • 7. How DNS Rebinding Works Bob IP: 10.1.1.2 Javascript // Reconnect to www.badguy.com after 2s www.badguy.com : IP 10.1.1.3 Alice IP: 10.1.1.3
  • 8. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Multiple A Records Multiple IP Address resolves to the same host. In 1996, the first attack aimed to confuse the security policy of the JVM. A Java applet, connects target and attacker web server. Time-Varying DNS In 2001, the original attack on Java was extended, this time using JavaScript. www.badguy.com is bound to a very short TTL. After rebinding www.badguy.com to the target IP Address, the XMLHttpRequest object connects to www.badguy.com that resolves to the target’s server.
  • 9. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Pinning in Current Browsers Browser pins host name to IP Address. Internet Explorer 7, binds a host to an IP for 30 minutes by default. With Multiple A records, the browser can try different IP addresses within 1 sec. Internet Explorer 6 also pins for 30 minutes. The pin can be easily released with the following html command <img src:http://badguy.com:81/> FireFox 1.5 and 2 caches DNS entries between 60 to 120 seconds Opera 9 has the same behavior as Internet Explorer 6, however holds a pin for 12 minutes. Safari 2 pins DNS bindings for 1 second.
  • 10. DNS Rebinding Vulnerabilities Standard Rebinding Vulnerabilities Flash Player 9 Flash player is installed on 55.8% of web browsers( as of December 2006), according to Adobe. The experiments however showed 86.9%. Flash opens a port less then 1024 with www.badguy.com. Then flash automatically sends <policy-file-request />. The attacker will respond with the following XML: [JBB+07]
  • 11. Attacks using DNS Rebinding Attacks Firewall Circumvention Spidering the Intranet Compromising unpatched machines Abusing internal open services IP Hijacking Committing Click Fraud Sending Spam Defeating IP-based Authentication Framing clients
  • 12. Attacks using DNS Rebinding Experiment: Recruiting Browsers DNS Rebinding was tested running a Flash Player 9 advertisement Two machines ran during three successive nights. The attacker ran: 1. A custom authoritative DNS server 2. A custom Flash player policy server 3. An Apache Web server hosting the advertisement The target ran an Apache Server to log successful attacks
  • 13. Attacks using DNS Rebinding Experiment: Recruiting Browsers The attack needed no user click The attack results: [JBB+07] [JBB+07]
  • 14. Attacks using DNS Rebinding Experiment: Recruiting Browsers Relevant numbers about the attack: 1. 50,951 impressions from 44,924 unique IP address were acquired (40.2% IE7,32.3% IE6, 23.5% Firefox, 4% Other). 2. The rebinding experiment ran on the 44,301(86.9%) impressions that reported Flash Player 9. 3. The experiment was successful on 30,636(60.1%) impressions and 27,840 unique IP addresses. 4. The attack was less successfull on Mac Os.
  • 15. Defenses Against Rebinding Fixing Firewall Circumvention Enterprise Blocking outbound traffic on port 53, a DNS server can be configured to not bound external names to internal IP Addresses. Use of dnswall to enforce policy. Consumer Consumer firewalls already expose a caching DNS resolver and can be augmented with dnswall. Software E.g. : Windows Firewall can block DNS resolutions to 127.*.*.*, protecting services that bind to the loopback interface.
  • 16. Defenses Against Rebinding Fixing Plug-ins Flash Player A policy based only if obtained for the same IP address and same host name. Requesting policy before opening sockets to any port. Java The connect method is used to obtain a proxied socket connection to an external machine Java LiveConnect Removing multi-pin vulnerabilities by using the same cache as the browser.
  • 17. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Checking Host Header Accepting only expected Host headers. Finer-grained Origins Refine origin by adding information such as the server IP address or a public key. IP Addresses: It is robust however some applications may fail such as Gmail. Public Keys: Can lead to a problem that two HTTPS pages served from the same domain to read each other’s state.
  • 18. Defenses Against Rebinding Fixing Browsers (Default-Deny Sockets) Smarter Pinning Robustness X Security Extending the width of pins. E.g. An IP 171.64.78.10 to 171.64.78. The developers of the NoScript for Firefox are planning this pinning heuristic
  • 19. Defenses Against Rebinding Fixing Browsers(Default-Deny Sockets) Policy-based Pinning Browsers consult server-supplied policies to determine when it is safe to re-pin. Pinning Pitfalls Common Pin Database: Sharing the same database Cache:Browser’s cache and all plug-in caches must be modified to prevent rebinding attacks. Document.domain
  • 20. Defenses Against Rebinding Fixing Browsers(Default-Allow Sockets) Host Name Authorization „Honest Machines“ do not advertise host name controlled by attackers. [JBB+07] Policy mechanism steps: 1. Resolve the host name auth.ip.in-addr.arpa 2. Does the host name exists? 3. If IP is policy-enabled resolve the host name www.example.com.auth.ip.in- addr.arpa 4. Determine if the host name is authorized
  • 21. Related Work Using Browsers as Bots Can be used for distributed denial of service attack Sender Policy Framework Stores policy information in DNS
  • 22. References [1] Adobe. Adobe Player Penetration. http://www.adobe.com/products/player_census/flashplayer [2] Dan Kaminisky.Black ops 2007, designing reviewing the web. PowerPoint. www.doxpara.com/slides/DMK_BO2K7_Web.ppt [3] Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System [4] Google Safe Browsing for Firefox, 2005 http://www.google.com/tools/firefox/safebrowsing [5] J. Ruderman. JavaScript Security:Same origin. http://www.mozilla.org/projects/security/components/same- origin.html Supervisor: Gert Pfeifer [6]D. Ross Notes on DNS pinning http://blogs.msdn.com/dross/archive/2007/07/09/notes-on- dns.pinning.aspx, 2007