Cenzic 232 Patent
Paid Advertising
web application security lab

OpenDNS Stops Some Phishing and has Some Issues

I haven’t had a chance to play with OpenDNS yet, but I’ve been hearing about it a lot lately. One of the great things about it is that is attempts to fight phishing by locating domains that have phishing sites on them and blackholing them with this page. Pretty cool stuff, actually. One of these days I’m going to have to play with it.

I’m just going to go out on a limb here and pretend I know how it works. It probably uses a blacklist of domains. Unfortunately that means if my phishing site is on a hacked machine with other valid things on that machine it’s now inaccessable to users. That may or may not be a bad thing, but what about XSS? Everything is vulnerable to XSS. So any time I put up a phishing XSS site on any domain (Google, Yahoo, you name it) it gets blackholed? There’s got to be a better way to do that with more intelligence.

And then there is the XSS issue:

GET / HTTP/1.0
Host: <body onload=alert("XSS")>.com
User-Agent: blah blah
Accept: */*
Accept-Language: ru
Accept-Encoding: gzip,deflate
Accept-Charset: */*

Colons and slashes are not allowed in the Host: header, but pretty much everything else is, which allows you to run abitrary JavaScript on phish.opendns.org using the Flash header injection method. Which means, if my phishing site is on host “A”, I can XSS some other site “B” to do a simple redirect, with the flash injection have them forward to the real address of the phishing site “A” and even after I’m caught and the page where the server is being redirected to “A” is caught I can run XSS on the openwall server to continue my phishing phun. Beautiful.

I still think it’s an interesting idea, even with the flaws. I’d rather see this as a content filter proxy rather than a DNS server implementation because I think DNSs are too blind (as they don’t see paths). But it’s still probably better than nothing in the short term until the phishing community changes their tactics.

9 Responses to “OpenDNS Stops Some Phishing and has Some Issues”

  1. David Ulevitch Says:

    Hmm, we guard against XSS pretty well on the http://search.opendns.com/ page. If we missed a spot on phish.opendns.com it’ll be fixed in a few minutes. In fact, I’ll fix it right now.

    The best place to tell us about this kind of thing is also security@opendns.com. If we don’t respond in a timely manner, feel free to post publically but I think responsible disclosure is pretty important and most folks agree.

    Thanks!

    David Ulevitch

  2. David Ulevitch Says:

    Fixed. Can you check?

    -david

  3. RSnake Says:

    Looks good, David - properly escaped. Sorry, I didn’t mean to spring it on you. XSS is everywhere, so disclosure sorta doesn’t make sense (I’d be emailing people all day long because I find dozens of problems just by surfing around). But anyway, yes, I agree with the principle of RFP’s stuff, and he and I chatted about it several years ago after he published it when we were both at DefCon. It’s a good rule of thumb.

  4. Fergie Says:

    I see Ulevitch is on the ball. Good job, David. :-)

    - ferg

  5. David Ulevitch Says:

    Rock and Roll Ferg Dawg.

    Thanks RSnake. Thanks for pointing it out though, better you than some kiddie.

  6. RSnake Says:

    David, no problem, and I’ll let you know if I find other issues. I don’t know if I can ever use your service full time since I _need_ to be able to go to those sites, but it’s an interesting concept. Are you pulling from the APWG lists, PRN lists, Mark Monitor’s lists or building your own?

    As an inverse to your concept of making money is a blackhat approach to the same concept that was recently discussed on the blackhat SEO forums ($100 membership fee). I trust that you guys are on the up and up, but be aware that there are less trustworthy people considering the same solutions.

  7. GMC Says:

    As a user of OpenDNS, it’s really nice to see this sort of cooperation. Kudo’s to both parties for spotting the problem and for having it fixed in short order.

    G.

  8. teemu Says:

    OT: traditional DNS infrastructre would be capable reducing spam and phishing tremendously if ISPs would start getting PTR entries for their customers MX records; (as mentioned in RFC1912) we then would be able to reject mails coming from Botnets, improper configured MTAs and so on. right now all you get - if you start enforcing policies like that - are customer complaints ..

  9. RSnake Says:

    That’s one of the reasons I like MessageLabs as a company. They basically just ask you to change your MX record to their servers and they take care of everything. No additional infrastructure, and it catches nearly everything. I don’t know if they have an anti-phishing strategy or not as I talked to them way before phishing was as big of a problem, but I would have to assume they do. Taking the problem out of the administrators hands might not be a bad idea in this case.