Bugtraq: Re: Whitepaper - DNS pinning and web proxies

["Amit Klein" <aksecurity () gmail com>]

Hello

The statements below, as well as on the paper itself ("So far,
discussion has focused solely on browser issues and has ignored the
fact that web proxies are also vulnerable to the same attacks.") are
somewhat inaccurate.

Please look at the following BugTraq posting submitted July 29th, 2002
by Adam Megacz and titled "XWT Foundation Advisory: Firewall
circumvention possible with all browsers"
(http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-07/0363.html).
It uses the term "quick-swap DNS" to describe the basic attack, and
proceeds to note:

"Since some clients behind HTTP proxies do not have access to a DNS
server which they can use for name-to-IP resolution, HTTP Proxies
should return an additional header in the HTTP reply
'Origin-Server-Address:', whose value is the network-layer address of
the origin server. A web browser without DNS access which recieves a
script from a proxy which does not support this header must not be
allowed to access content in any other frame, iframe, window, or
layer."

Which is identical to solution #3 you suggest.

So I'd say the problem has been known for few years (albeit admittedly
less discussed), and at least one solution was already suggested.

Thanks,
-Amit




On 7/10/07, Dafydd Stuttard <daf () ngssoftware com> wrote:
> DNS-based attacks against browsers have been known about for years. These
> attacks have received increased attention recently, following the discovery
> of defects within browser-based DNS pinning defences.
>
> So far, discussion has focused on browser issues. However, the same attacks
> can also be performed against web proxies.