Amit Klein and I’ve been going back and forth for the last few days regarding my last two posts, how browsers cache requests, how that can be abused, etc…, and in the process of it, Amit came up with another interesting way to do the same thing but without requiring any DNS rebinding whatsoever. Here’s his idea:
BTW, I can improve your attack (I think), by eliminating the need for browser restart. If www.attacker.com sets domain-wise cookie for all “.attacker.com”, and then forces navigation to say target.attacker.com (that maps, even statically, to 10.10.10.10), you have your XSS delivered.
He’s right - that would work. So really, being able to set cookies for an entire domain is actually a security issue, since it can actually impact functionality on other websites that aren’t owned by the domain owner. Interesting take. Again, while this wouldn’t give you access to the user, it might allow you to change site functionality, inject XSS, insert erroneous tracking information or something else - whatever could be done from an un-authenticated user state.