- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 10 Jan 2008 21:21:06 +0000 (UTC)
On Thu, 10 Jan 2008, Collin Jackson wrote: > > > > As I understand it, that kind of attack would be mitigated by the > > browser not doing a DNS query for the second one -- it's the reason > > browsers tend to have built-in DNS caches (with TTLs in the order of a > > minute). > > The problem is that browser caches can have TTLs on the order of hours > or days, while it is not realistic to cache DNS entries for that long. > This leads to the following attack: > > 1) http://www.attacker.com/foo/attack.html is served from attacker, > includes lib.js > 2) http://www.attacker.com/foo/lib.js is served from attacker with an > "Expires" header 24 hours in the future > 3) Attacker waits for browser DNS cache to expire. > 4) User is redirected to http://www.attacker.com/foo/baz.html, which > is served from target > 5) http://www.attacker.com/foo/lib.js is served from the browser's > cache and is now in the target's origin Yeah, I don't know of a good solution to that when the victim site uses HTTP/1.0. (With 1.1, you can mitigate it by checking Host headers.) > > The idea with origins containing IP addresses is to avoid attacks like > > where a page on attacker.com does a window.open() to another page on > > attacker.com where the second page is served from the victim IP, and > > scripts in the first page then do cross-window manipulation. > > After using the technique above, the attacker can window.open to another > page on attacker.com and do cross-window manipulation. After using the technique above, the attacker doesn't need to use window.open(). The technique above boils down to arbitrary content injection, at which point the victim has lost and the game is over. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 10 January 2008 13:21:06 UTC