Lecture 14: DNS Rebinding Flashcards
What are rebinding attacks?
Abuse aspects of web browser security and the DNS system to load malicious code from a third party via a client side script
What policy do attackers using rebinding attacks try to get around?
Same Origin Protocol
What is same origin protocol?
Protects clients from malicious scripts by limiting what sources a client side script can access
Enforced by web browsers
Same origin policy is only applied to __
scripts
What is the fatal flow of same origin protocol?
Its based on hostname not IP address
Meaning we can make the name point to where ever we want
What is content security policy?
Gives web apps control over where resources can be loaded from
How does same origin policy differ from content security?
SOP concerned with who a client side script can communicate with
CSP concerned with where a client may download resources from
What are the steps in a rebinding attack?
- Client requests a web page containing malicious javascript or other client side code
- The script forces a new DNS call. The attackers DNS server responds with a different IP address than the one it was originally point to
- The script can now make a connection to this different IP address without violating the same origin policy
What is a solution for rebinding attacks?
Set very low TTL for DNS records so that they go stale and must be requested again
What are two ways to open resolvers?
- Forcing minimum TTL
- Filtering
What types of mitigation an be used to mitigate rebinding attacks
- Mitigation by DNS resolvers
- Mitigation by web browser
How do DNS resolvers mitigate rebinding attacks?
Resolver acts as the middleman, potentially stopping rebinding attacks by disrupting the DNS process
How do web browsers mitigate rending attacks?
Uses pinning to lock the IP address of a domain for some minimum amount of time
