A while back I was playing with a method of XSS that used DNS tricks (btw, if you haven’t read LurHQ’s paper on DNS Cache poisoning and how it can effect Pharming, I recommend it), but I was unable to get it working. After a few months of thinking about it, I’m 95% sure it could never work with the way browsers currently function - and that is that they keep DNS state for the duration of their session.
Well not exactly, there are two problems with it. The first being the browser caches DNS as I said above. The second being the IP address is generally not where the user is sending cookie data and therefor probably isn’t logged into that machine. That may not be true if there is a single sign-on state, but generally speaking if you are logged into a website you aren’t logged into the IP address of the same site because it is seen as a different domain.
So yes, DNS Cache poisoning can still work, potentially, depending on the target DNS server, but, as far as the DNS hiccup that I came with? Well, even the best laid plans can fail. Alas, back to the drawing board on that one…