tag:blogger.com,1999:blog-8503755746105415394.post4694093255334655663..comments2007-07-16T07:24:03.114ZComments on PortSwigger.net - web application security: DNS pinning and web proxiesPortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8503755746105415394.post-70265591846509083912007-07-16T07:24:00.000Z2007-07-16T07:24:00.000Z@kuza55I've seen lots of organisations that use no...@kuza55I've seen lots of organisations that use non-RFC1918 addresses on their internal networks. But even if they are being used, your fix may not stop an attack. For example, most DSL routers run a web interface on their internal NIC, for administering the device. In most cases, if you are on the internal network, and request the admin interface using the external IP address, you can still PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-49389313612006768902007-07-15T16:14:00.000Z2007-07-15T16:14:00.000ZSorry I took so long to reply, I haven't had acces...Sorry I took so long to reply, I haven't had access to the internet for the last couple of days.Ok, the problem I see with #4 and allowing the client to send host headers is this:You're allowing the user to tell you where a site is. If your proxy then trust this information (which could be sent by an attacker, through Anti-DNS Pinning in Flash or Java/LiveConnect - or possibly other methods - kuza55http://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-42906690104158043512007-07-11T18:01:00.000Z2007-07-11T18:01:00.000Z@kuza55, Thanks for your feedback.Re #4, sure the ...@kuza55, Thanks for your feedback.Re #4, sure the Host header would still be sent, just like it is when browsers aren't using a proxy and so do their own DNS resolution. What changes in this solution is the URL in first line of the request to the proxy, which would contain the IP address not the domain name.Re #6, there is no problem. As I said, if the cookie isn't received, the proxy performs a PortSwiggerhttp://www.blogger.com/profile/04744809054520271899noreply@blogger.comtag:blogger.com,1999:blog-8503755746105415394.post-26303266445700921292007-07-11T11:07:00.000Z2007-07-11T11:07:00.000ZThanks for the paper, it was quite interesting, es...Thanks for the paper, it was quite interesting, especially the solutions section. Though I do think you left out a few things in a cuple of solutions.In "Solution 4: Perform DNS resolution in the browser" you did mention that it would add security issues like not being able to block content, but you didn't mention that this would completely break some sites which require a Host header to be kuza55http://www.blogger.com/profile/03932544559060480887noreply@blogger.com