Cenzic 232 Patent
Paid Advertising
web application security lab

Circumventing DNS Pinning for XSS

Martin Johns posted today about a technique for circumventing DNS pinning to enable cross site scripting against other domains (specifically against internal IP space). I too have looked into DNS pinning as an obstical but was unable to get around the browser pinning. For those of you who aren’t aware of this problem here’s a simple explination. If you go to www.whatever.com and that corresponds to an IP address, and then change the IP address in the DNS record and request it again in the same browser session the browser will not look it up. In this way, you cannot fool the browser into requesting a peice of JavaScript a few seconds later from a different domain to bypass same origin policies. It’s a pain, trust me.

What Martin was able to accomplish was to detect that if the server goes down, it will in fact make another request. That’s something I had never tried before personally and a great find! I had tried modifying hosts files, changing DNS records, and all sorts of things, short of ARP spoofing since I generally don’t have access to the switch in question. So the trick is, you change the DNS record and either shut down the webserver or add a firewall rule immediately afterwords to get the browser to drop it’s cached DNS entry for www.whatever.com and poof, you now can get the browser to request the same information from a different IP address without the same origin policies. Voila!

The only limitations he came up with were that it must be accessable at the IP address, and not at the virtual host level, because it will be requesting a host that does not exist (www.whatever.com) on the internal address. If you can get around that, you now have read/write on any internal host in JavaScript space! That’s an amazing extention of cross site scripting that was never possible before! Great find, Martin!

One Response to “Circumventing DNS Pinning for XSS”

  1. ha.ckers.org web application security lab - Archive » DNS Pinning Just Got Worse Says:

    […] Amit Klien just published a rather interesting article on how anti-DNS pinning techniques can be circumvented. Namely how you can get around Host: header restrictions by using XmlHttpRequest or by forging headers with Flash. Coupled with Martin Johns’ DNS pinning circumvention technique this marks a sad day for web application security for Intranet applications. […]