- From: Adam Barth <hk9565@gmail.com>
- Date: Wed, 9 Jan 2008 14:35:06 -0800
The spec says: "It's been suggested that we should put IP addresses into the origin tuple, to mitigate DNS rebinding attacks. However that would kill multi-homed systems like GMail. Should we do something like have a DNS record say whether or not to include the IP in the origin for a host?" <http://www.whatwg.org/specs/web-apps/current-work/#the-string> Adding IP addresses to the origin tuple does not prevent DNS rebinding attacks if any page on the target site embeds a script, style sheet, or other active content using a relative path. Consider the following example page: /foo/bar.html: <html> <head> <script src="lib.js"></script> </head> </html> Suppose the attacker directs the user to http://www.attacker.com/foo/baz.html, with www.attacker.com pointed to the target's IP address, 171.64.78.10. The target serves the above HTML, which runs in the origin (http, www.attacker.com, 80, 171.64.78.10) and causes the user agent to request http://www.attacker.com/foo/lib.js. Now, the attacker rebinds www.attacker.com to point to the attacker's IP address and serves malicious JavaScript. At this point, the attacker is running malicious JavaScript in the origin that includes the target's IP address and can proceed with the attack. Adding IP address to the origin tuple both breaks existing web sites, like Gmail, and is an ineffective defense against DNS rebinding. We recommend not adding IP address to the origin tuple. Adam Barth and Collin Jackson
Received on Wednesday, 9 January 2008 14:35:06 UTC