We knew it would happen some day... as soon as the Web 2.0 hype encouraged people to create REST and AJAX APIs, hackers would find fun new ways to abuse them... Today's security scare is brought to you by DNS Rebinding (Hat tip Artur Bergman).
The nifty things about AJAX is that it allows you to make XML requests back to the originating server. It won't let you make requests to other servers, only to the one you are connected to. So if you're browsing the google.com web site, you can only make AJAX requests to google.com. I always thought this same-origin policy was a bit restrictive, and probably wasn't as safe as everybody thought, so it always annoyed me. I usually choose remote scripting instead of AJAX for this reason.
Now it turns out you can completely hijack this same-origin policy with sneaky DNS settings... and an evil web site can use AJAX to connect to any resource behind your corporate firewall!
Lets assume you accidentally go to some evil web site, like evil.com. First, your computer translates evil.com into an IP address, such as 220.127.116.11. Normally, this IP address data is cached for a long time, but its possible to set up evil.com's DNS servers to expire the cache every 5 seconds. That means for every request, your browser needs to look up the IP address again.
So, lets say the hacker (or some robot) at evil.com notices you're on the site. It then changes the DNS address to something different... say 10.10.1.1, or any other IP address inside your corporate network. That means the next request you make to evil.com will be sent to an internal server instead.
Pretty evil, those guys at evil.com...
These attack forms are nothing new -- I covered a mundane variation of this in my security presentation at Crescendo 2006... but AJAX plus DNS rebinding makes this method even more attractive to hackers.
If you're running Stellent/Oracle, I'd HIGHLY recommend installing the HtmlPostAuthenticator component. If properly configured, it should really help mitigate attacks of this nature. This attack is also highly noisy, so unless the hacker knows your network very well, most intrusion detection systems should catch it eventually.