Recently I was able to give a talk at Austin OWASP about DNS Rebinding. I will be uploading slides and example code on this blog soon, but first an overview of the topic.
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity. Excerpt from Wikipedia
DNS Rebinding overrides same origin policy so that the client believes it is talking to the same host when it really isn’t. The browser accesses sortabadsite.com and at first is getting legitimate responses from it. Shortly after the first requests (initial page load) are made, all communication is dropped and the browser will make a call back to DNS. At this point the IP address for the domain is swapped (maybe with 127.0.0.1) and the client is now running XHR (XML HTTP Requests) against the localhost. There are some interesting vectors that this can go and will be explored in future posts.
Check back at this blog for a video demo, slide deck and future plans for new code. Right now I am working on writing a DNS Rebinder application in Ruby that includes DNS, a firewall and a web server (or hooks into them). If you are interested, let me know. Gmail: wickett
I would be amiss if I didnt mention RSnake’s work on DNS Rebinding over ha.ckers.org. Check it out!