Cenzic 232 Patent
Paid Advertising
web application security lab

Using DNS to enable XSS

A while back I was playing with a method of XSS that used DNS tricks (btw, if you haven’t read LurHQ’s paper on DNS Cache poisoning and how it can effect Pharming, I recommend it), but I was unable to get it working.  After a few months of thinking about it, I’m 95% sure it could never work with the way browsers currently function - and that is that they keep DNS state for the duration of their session.

The idea was actually fairly simple.  I could create a website that had a single peice of JavaScript on it that referenced a file that did not exist on the server, but wouldn’t call it immediately.  When the victim went to the machine the DNS would tell them they are located at one IP address but that the timeout for the DNS was less than a second.  When the use fulfilled the first request for the JavaScript the JavaScript would wait for a few seconds.

After a few seconds it would request the file on the server.  At this point the DNS for the server would be out of the cache, so it would need to ask the DNS server again for the IP address.  This time it would give the user the IP address of a the target machine (a different website).  The JavaScript would then have access to the file because it technically resides on the same domain (although a different IP address).  Flawless huh?

Well not exactly, there are two problems with it.  The first being the browser caches DNS as I said above.  The second being the IP address is generally not where the user is sending cookie data and therefor probably isn’t logged into that machine.  That may not be true if there is a single sign-on state, but generally speaking if you are logged into a website you aren’t logged into the IP address of the same site because it is seen as a different domain.

So yes, DNS Cache poisoning can still work, potentially, depending on the target DNS server, but, as far as the DNS hiccup that I came with?  Well, even the best laid plans can fail.  Alas, back to the drawing board on that one…

One Response to “Using DNS to enable XSS”

  1. ha.ckers.org web application security lab - Archive » Circumventing DNS Pinning for XSS Says:

    […] Martin Johns posted today about a technique for circumventing DNS pinning to enable cross site scripting against other domains (specifically against internal IP space). I too have looked into DNS pinning as an obstical but was unable to get around the browser pinning. For those of you who aren’t aware of this problem here’s a simple explination. If you go to www.whatever.com and that corresponds to an IP address, if you then change the IP address in the DNS record and request it again in the same browser session the browser will not look it up. In this way, you cannot fool the browser into requesting a peice of JavaScript a few seconds later from a different domain to bypass same origin policies. It’s a pain, trust me. […]