lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <26162adb0707101119r451cb775n11a933a572339552@mail.gmail.com>
Date: Tue, 10 Jul 2007 21:19:05 +0300
From: "Amit Klein" <aksecurity@...il.com>
To: "Dafydd Stuttard" <daf@...software.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Whitepaper - DNS pinning and web proxies

Hello

The statements below, as well as on the paper itself ("So far,
discussion has focused solely on browser issues and has ignored the
fact that web proxies are also vulnerable to the same attacks.") are
somewhat inaccurate.

Please look at the following BugTraq posting submitted July 29th, 2002
by Adam Megacz and titled "XWT Foundation Advisory: Firewall
circumvention possible with all browsers"
(http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-07/0363.html).
It uses the term "quick-swap DNS" to describe the basic attack, and
proceeds to note:

"Since some clients behind HTTP proxies do not have access to a DNS
server which they can use for name-to-IP resolution, HTTP Proxies
should return an additional header in the HTTP reply
'Origin-Server-Address:', whose value is the network-layer address of
the origin server. A web browser without DNS access which recieves a
script from a proxy which does not support this header must not be
allowed to access content in any other frame, iframe, window, or
layer."

Which is identical to solution #3 you suggest.

So I'd say the problem has been known for few years (albeit admittedly
less discussed), and at least one solution was already suggested.

Thanks,
-Amit




On 7/10/07, Dafydd Stuttard <daf@...software.com> wrote:
> DNS-based attacks against browsers have been known about for years. These
> attacks have received increased attention recently, following the discovery
> of defects within browser-based DNS pinning defences.
>
> So far, discussion has focused on browser issues. However, the same attacks
> can also be performed against web proxies.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ