Eradicating DNS Rebinding with the Extended Same-Origin Policy

Johns, Martin and Lekies, Sebastian and Stock, Ben
(2013) Eradicating DNS Rebinding with the Extended Same-Origin Policy.
In: 22nd USENIX Security Symposium.
Conference: USENIX-Security Usenix Security Symposium

[img]
Preview
 Text
dns-rebinding.pdf - Published Version
Download (373kB) | Preview

Abstract

The Web’s principal security policy is the Same-Origin Policy (SOP), which enforces origin-based isolation of mutually distrusting Web applications. Since the early days, the SOP was repeatedly undermined with variants of the DNS Rebinding attack, allowing untrusted script code to gain illegitimate access to protected network resources. To counter these attacks, the browser vendors introduced countermeasures, such as DNS Pinning, to mitigate the attack. In this paper, we present a novel DNS Rebinding attack method leveraging the HTML5 Application Cache. Our attack allows reliable DNS Rebinding attacks, circumventing all currently deployed browser-based defense measures. Furthermore, we analyze the fundamental problem which allows DNS Rebinding to work in the first place: The SOP’s main purpose is to ensure security boundaries of Web servers. However, the Web servers themselves are only indirectly involved in the corresponding security decision. Instead, the SOP relies on information obtained from the domain name system, which is not necessarily controlled by the Web server’s owners. This mismatch is exploited by DNS Rebinding. Based on this insight, we propose a light-weight extension to the SOP which takes Web server provided information into account. We successfully implemented our extended SOP for the Chromium Web browser and report on our implementation’s interoperability and security properties.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Additional Information: pub_id: 1048 Bibtex: johns2013eradicating URL date: None
Divisions: Ben Stock (Secure Web Applications Group, SWAG)
Conference: USENIX-Security Usenix Security Symposium
Depositing User: Sebastian Weisgerber
Date Deposited: 26 Jul 2017 10:29
Last Modified: 18 Jul 2019 12:12
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/388

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.