The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	794/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 790 791 792 793 794 795 796 797 ... 875

Bog'liq
3794 1008 4334

A Hypothetical Attack

Anti-DNS Pinning

Anti-DNS pinning is a technique that can be used to perform a partial breach

of same origin restrictions in some situations, enabling a malicious web site to

interact with a different domain.

464

Chapter 12

■

Attacking Other Users

70779c12.qxd:WileyRed 9/14/07 3:14 PM Page 464

A Hypothetical Attack

To understand what DNS pinning is, and why it is necessary, let us first imag-

ine a world in which it does not exist. Suppose that a malicious web site wishes

to retrieve and process data from a different domain. Without DNS pinning,

this attack could be achieved through the following steps:

1. An unwitting user follows a link to the URL

http://wahh-attacker.com/

2. The user’s browser resolves the domain name

wahh-attacker.com

. To

do this, it performs a DNS lookup on the attacker’s name server. The

name server responds with the IP address of the attacker’s web server

(

1.2.3.4

), with a time to live (TTL) of one second.

3. The user’s browser issues the following request to IP address

1.2.3.4

GET / HTTP/1.1

Host: wahh-attacker.com

4. The attacker’s web server returns a page containing a script that waits

for two seconds and then performs two actions. The first action is to use

XMLHttpRequest

to retrieve

http://wahh-attacker.com/

. Because this

is the same domain that invoked the script, the request is permitted.

5. Because the browser has waited for two seconds, its previous DNS

lookup on

wahh-attacker.com

has now expired, and so the browser

performs a second lookup. This time, the attacker’s name server

responds with the IP address of

wahh-app.com

, which is

5.6.7.8

6. The user’s browser issues the following request to IP address

5.6.7.8

GET / HTTP/1.1

Host: wahh-attacker.com

7. The

wahh-app.com

server responds with its content, which the

attacker’s script is able to process via the

XMLHttpRequest

object.

8. The attacker’s script loaded in step 4 performs its second action, which

is to transmit the data retrieved in step 7 to a location controlled by the

attacker. Recall that any web site can issue a request to any other

domain, and in this case, the attacker’s script posts the captured data to

www2.wahh-attacker.com

in the standard way.

The hypothetical attack just described succeeds in retrieving data across

domains; however, it only constitutes a partial breach of the browser’s same

origin policy. Crucially, in step 3 the user’s browser believes it is submitting a

request to the domain

wahh-attacker.com

, and this is the context in which the

request is made. Any cookies that the user has for the domain

wahh-app.com

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 790 791 792 793 794 795 796 797 ... 875