Web 2.0 Security Hole: DNS Rebinding

We knew it would happen some day... as soon as the Web 2.0 hype encouraged people to create REST and AJAX APIs, hackers would find fun new ways to abuse them... Today's security scare is brought to you by DNS Rebinding (Hat tip Artur Bergman).

The nifty things about AJAX is that it allows you to make XML requests back to the originating server. It won't let you make requests to other servers, only to the one you are connected to. So if you're browsing the google.com web site, you can only make AJAX requests to google.com. I always thought this same-origin policy was a bit restrictive, and probably wasn't as safe as everybody thought, so it always annoyed me. I usually choose remote scripting instead of AJAX for this reason.

Now it turns out you can completely hijack this same-origin policy with sneaky DNS settings... and an evil web site can use AJAX to connect to any resource behind your corporate firewall!

Lets assume you accidentally go to some evil web site, like evil.com. First, your computer translates evil.com into an IP address, such as 1.2.3.4. Normally, this IP address data is cached for a long time, but its possible to set up evil.com's DNS servers to expire the cache every 5 seconds. That means for every request, your browser needs to look up the IP address again.

So, lets say the hacker (or some robot) at evil.com notices you're on the site. It then changes the DNS address to something different... say 10.10.1.1, or any other IP address inside your corporate network. That means the next request you make to evil.com will be sent to an internal server instead.

It gets worse... If evil.com is running some AJAX, or a Rich Internet Application (Flash/Flex/Apollo/Silverlight), the hacker can use your browser as a proxy through your firewall, and run attacks. Since the IP address is changed to an internal address, any AJAX request made in JavaScript will be able to access an internal server, instead of evil.com. This can be used to send SPAM, change passwords, or read any XML formated content. As long as you keep that browser window open, the hacker has full access to your internal network through your browser!

Pretty evil, those guys at evil.com...

These attack forms are nothing new -- I covered a mundane variation of this in my security presentation at Crescendo 2006... but AJAX plus DNS rebinding makes this method even more attractive to hackers.

If you're running Stellent/Oracle, I'd HIGHLY recommend installing the HtmlPostAuthenticator component. If properly configured, it should really help mitigate attacks of this nature. This attack is also highly noisy, so unless the hacker knows your network very well, most intrusion detection systems should catch it eventually.

comments

where can I get the HtmlPostAuthenticator component.

Is it available from Oracle?

Also, where can I find documentation on it and the EnableSecureGets setting?

Thanks!
Audrey

built-in to 11g

What version of UCM are you on?

10gR3

sadly :(

maybe oracle

If not, contact Bezzotech support and we might be able to dig one up...

Recent comments