Paid Advertising
web application security lab

DNS Rebinding for Credential Brute Force

In part two of my DNS rebinding diatribe I wanted to talk a little more about the previous problem of session fixation. Session fixation is great but it’s only great if by getting them into your account that provides you some value as an attacker. Sometimes that’s useful, sometimes it’s not. But what about a different scenario where the attacker has no access to the page in question so they can’t get access to an account ahead of time - but rather what if the web server is back behind the firewall again? What if it’s a webserver that he wants to compromise but happens to use some cookie as an authentication token? Ahhh… here’s where we might be able to attack it.

A lot of people still don’t get that you don’t need to know people’s usernames and/or passwords to get into their accounts. If you can get (or guess) the credential, that’s good enough. What if the credential were a weak cookie like username=bob or id=1234567? It might be extremely trivial to use DNS rebinding to not only get access to read the login page and perform a traditional brute force attack, but if the format of the credential is known (like in a lot of open source projects) it may be easy to brute force that token. So yes, by getting DNS rebinding and by utilizing brute force you can then fix their session to whatever account you just broke into. And it just keeps getting worse…

One Response to “DNS Rebinding for Credential Brute Force”

  1. Wornstrom Says:

    Man, I love reading this stuff. Keep up the good work.