Paid Advertising
web application security lab

MitM DNS Rebinding SSL/TLS Wildcards and XSS

27 posts left…

This was one of the more complex issues Josh Sokol and I talked about during our presentation at Blackhat. Let’s say there’s an SSL/TLS protected website ( that an attacker knows that the victim is using. The attacker is a MitM but let’s say that has no security flaws in it whatsoever. Let’s also say that there’s another subdomain called that has the following attributes: It has no important information on it (otherwise the attacker would be content with attacking it instead), it’s vulnerable to XSS, it doesn’t care about host headers and uses a wildcard cert for * How can an attacker use that to their advantage?

The victim requests the IP for for which the attacker modifies the responding DNS TTL to 1 sec (and all subsequent DNS traffic to that domain). The victim logs into (gets cookie). Doing login detection can help determine that the user is authenticated but it’s important that the attack doesn’t start before this, otherwise the attack will fail.

The attacker firewalls off the IP to and forces user to the XSS URL at:’XSS’)%20a (notice that the hostname is wrong as it should be because that is where the XSS lives). Note that this WAS a real XSS in mxr, but has been fixed, and to make it work it would require the user to mouse over it, so you’d have to do some clickjacking or something, but let’s just pretend that all wasn’t a problem, and/or that there was an easier XSS.

The victim requests the IP for again but this time the attacker responds to the DNS request (with 1 second TTL) with the IP address of (not addons). The user connects to the IP address sending the wrong host header - the reason this works is because the wildcard SSL/TLS cert allows for any domain and the website doesn’t care about host headers. The victim runs the XSS in context of even though they’re on the IP. That sounds bad (maybe useful for phishing) but there’s worse the attacker can do.

The attacker can give up if doesnít use HTTPOnly cookies because the attacker can just steal the cookie from JavaScript space. But let’s assume that addons has no flaws in it, including how it sets cookies. In that case the attacker just rebinds again. For lack of a better term we called this “double DNS rebinding.”

The attacker firewalls off IP for and un-firewalls off the IP. The victimís browser re-binds and requests DNS for again. The attacker delivers the IP for The victimís cookie is sent to and the JavaScript is now in context of The victim runs BeEf shell back to attacker, which allows the attacker to see the contents of the user’s account and interact as if they were the user.

We talked with a few people in various places about how likely this is, and although it worked on one of the two sites we checked we think the likelihood that it will work on SSL/TLS enabled sites is pretty low. It has to be wild card, has to have HTTP Response splitting/XSS, etc… and has to ignore the host header. We guesstimate that it’s probably between 2-4% of SSL/TLS protected sites that would be affected by this, although, in reality there’s not a lot of risk here because this has a lot of moving parts - there are certainly easier exploits out there. But the interesting part is this is yet another reason that all sub domains should be considered in scope when you’re talking about something sensitive sitting behind authentication beyond just breaking in and stealing the cert outright.

Incidentally when I told the Mozilla guys about this, they said, “Why would we have checked for XSS in mxr? There’s nothing important on there… It’s all public information.” followed by, “Well, it’ll be fun checking for XSS on all our sub domains now.” That’s a good idea anyway for phishing, but checking for host headers is an easier short-cut in the short term. I wouldn’t worry about this attack, because it’s unlikely, but it was interesting coming up with the use case.

3 Responses to “MitM DNS Rebinding SSL/TLS Wildcards and XSS”

  1. Wladimir Palant Says:

    Now the really really interesting target would be that is responsible for all extension updates. Fortunately, it doesn’t fall under * certificate. Anyway, interesting attack!

  2. Some1 Says:

    Will the browser accept DNS TTL of 1 sec??
    The browser has it’s own cache, and the TTL there should be greater than a few seconds.

  3. RSnake Says:

    @Wladmimir - I’m sure there are a lot of things that are interesting to attack in this way. Still not a particularly good attack unless it’s extremely targeted, but still… interesting to think about.

    @Some1 - If the browser can’t connect (that’s what the firewall bit is about) then it will attempt to rebind. Internet Explorer does pin DNS for 30 minutes + the TTL (which again an attacker can bypass with the firewall), but most other browsers respect the RFC.