The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Or was it?

In August 2006, Martin Johns discovered that DNS pinning can be defeated

by rejecting HTTP connections. In step 5 of the attack, the user’s browser

enforces DNS pinning and so makes the subsequent request to the original IP

address 

, However, if the attacker’s server rejects this connection

attempt (for example, by firewalling its HTTP port), then the user’s browser

drops the DNS pinning and performs a fresh lookup on 

wahh-attacker.com

.

At this point, the attacker responds with the IP address 

and the attack

proceeds as originally described. This behavior means that the protection

offered by DNS pinning can be trivially defeated by any serious attacker.

A second defect in the reliance on DNS pinning defenses is that they do not

protect users who access the Internet via a proxy server. In this situation, DNS

resolution is performed by the proxy, not the browser. Hence, browser-based