The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

DNS pinning is irrelevant, and the hypothetical attack originally described is

fully effective. For further details, see the following paper:

http://www.ngssoftware.com/research/papers/

DnsPinningAndWebProxies.pdf

A further twist in the DNS pinning story relates to the HTTP 

Host

header.

Notice that in step 6, the request to the 

wahh-app.com

web server contains the

domain 

wahh-attacker.com

in its 

Host

header, because the user’s browser still

believes it is accessing the attacker’s domain. This means that web sites could

seek to defend against anti-DNS pinning by checking the 

Host

header in all

requests and rejecting those specifying a different domain. However, an

attacker can spoof an arbitrary 

Host

header in various ways, both via 

XML-

HttpRequest

itself on older browsers or through older versions of Flash.

Hence, checking the 

Host

header should not be considered a reliable means of

thwarting anti-DNS pinning attacks. The only failsafe method is to ensure that

sensitive web content is protected by effective authentication and sessions,

regardless of any defenses imposed by the network topology.

Note that because an attacker performing anti-DNS pinning can gain full

two-way interaction with a target web application, he can perform any of the

attacks that are possible against applications on the public Internet. Hence,

organizations hosting applications internally on protected networks should

ensure that they are robustly defended against common web application

attacks, in the same way as if those applications were accessible directly from

the Internet.

Download 5,76 Mb.

Do'stlaringiz bilan baham: