Saturday, April 7, 2007

Dns-Pinning, the next big thing?

I always admire programmers for their sharp programming skills and their structured way of logical thinking. Me, myself can never be good in programming or scripting. I tried my times to brush up my skills, but always failed at some point. This is the reason why i choose networking over being a developer. If i am good in programming, i would definitely develop hell lot of security tools to cater the community. Now, this lead to a very interesting article i am going to refer you guys to. Have you guys heard of DNS-Pinning? I think its the "Next Big Thing" that is going to have effect on the web community after XSS and CSRF. Well, it all comes down to having ideas and working on a Proof of Concept. We all know that it is possible to port-scan using javascript with XSS and now comes DNS-Pinning. DNS-Pinning is like punching a hole in the firewall and allows scanning on a internal LAN. This is scary because it actually bypass the firewall rules and return all the open ports. I had just tested it on my machine and damn, the results are pretty accurate though. Read on for more information.

http://shampoo.antville.org/stories/1451301/

http://sla.ckers.org/forum/read.php?6,4511,9587#msg-9587

4 comments:

TJS said...

I'm not so sure that this will be the next big thing in web security for one simple reason: this is easy to fix.

I havent experimented with the technique (yet) but I can tell you right off the bat that if this works as described, you can expect browser developers to produce fixes shortly after they are notified about the issue.

I think that the 'next big threat' in security will be something that a few people cannot easily fix-- something that lots of people often mess up. Think about the buffer overflow for example- this was a huge issue in security because it took virtually every developer to fix bad habits before the problem really went away (and the problem is still here today).

The analogy in the web world today is XSS and SQL injection. I think that people are finding new ways to exploit XSS daily, and the more people use such technologies as AJAX and other 'web 2.0' craplets, the more that will be at risk. There's more to this than stealing auth cookies i think...

AAaannyway-- DNS Pinning is still a very interesting attack and i'm looking forward to playing with it over the next few days. I'll keep you posted with any findings.

TJS

Anonymous said...

I agree with you tjs, i am not sure if DNS-Pinning is the next big thing, but for now, it sure is and those who knows it are finding ways to solve it. But i agree 100% with you that XSS is the biggest thing right now in web application, everyday someone out there is finding a new XSS flaw to exploit.

hackathology

kuza55 said...

Personally I think Anti-DNS Pinning was the most dangerous development from last year. This is important in my eyes, not because of the ramifications to web application security, but to network security. This attack is able to break any kind of firewall simply by having a user visit a web page - and when firewalls are such an integral part of network security, anything which can get past them that easily should be worrying.

@tjs:
Even if it is easy to fix; it still hasn't, and this attack has been known about since the 14th of August last year.

Furthermore, this not only affects browsers but all browser plugins which allows network communications, e.g. Java and Flash - neither of which actually implement any kind of DNS Pinning anyway.

So while it may seem a simple fix, its a simple fix that needs to be implemented in a lot of software; much like fixing most standard XSS issues (i.e. not filtering input, but escaping) - its simple, but has to be done in a lot of places.

@hackathology
What are "ways to solve it" that you have seen; AFAIK there is no way to protect against it, especially when Java lets you open socket connections, rather than just make HTTP requests.

Anonymous said...

kuza55, i do not if there is a way, but i know there is a hell lot that needs to be done to solve this issue. Personally, i can understand the concept, but there are still some parts which i don't understand, maybe you can explain to me?

hackathology.