Learn AJAX

Home     |      Learn AJAX     |      Forum     |      Register     |      Submit Resource     |      Submit Article      |      Contact Us

Security Tutorials

 
Home Security
 

DNS Pinning

 
Category: Security
Comments (0)

DNS pinning maybe one of the oldest types of attack an Ajax based application could experience. Unfortunately, this is also one of the most vicious types of attack for an Ajax based application.


This explains why even after years of countering this problem directly related to JavaScript, this type of attack still exists and has evolved into something more powerful.


The concept of DNS pinning is pretty simple – take over the DNS and direct the user to another website.


If the user is directed to a website preferred by the attacker, the user’s data on their local gadget could be exploited through their browser.


Anything could happen when the attacker takes over the DNS of a website. A successful attack could mean millions of loses to a company and its users.


The users might end up providing their credit card information to a totally bogus website. The owners of the website on the other hand will completely have no idea on what is happening.


Simple But Efficient

The success of DNS pinning is based on the fact that it could block the websites from being loaded in the browser.


The first thing that the browser would do to access a website is to look up the DNS to properly pinpoint its location.


But when the DNS pinning script is already loaded in the browser, it will stop the browser from locating the DNS which will force a time out. Naturally the browser will try again only this time, it will be directed to another website. The rest, as the say is history.


The script for DNS pinning could be extracted in different ways – first it could be the fault of the user. They might have stumbled into a good looking website with a JavaScript attack embedded on it.


This is actually a combination of DNS pinning and XSS (Cross Site Scripting) attack. The second one is when the attacker targets a website. It will use the XHR vulnerability so that it could inject its JavaScript commands which will redirect users to another location.


This scenario is very scary since not only a single user could be affected but millions of users. Imagine eBay being hijacked with DNS pinning, the losses in a day’s transaction could mean millions for the company and significant losses to different online businesses.


Preventive Measures

Although we cannot say that we are just sitting ducks to DNS pinning, the reality is closer to it. There is no concrete preventive measure against DNS pinning.


Internet security professionals have to come up with different solutions each time a new one has been put up.


For example, an Anti DNS-Pinning method has been proposed but it turns out that a simple modification of the process will affect the system. So another solution has been put up and this time it is called Anti Anti-DNS Pinning. The process continues…


The only way this problem could be handled is for developers to be constantly alert of their applications. An attack could be lurking in some place so security measures on XHR, img and other JavaScript codes injected should be taken with caution.



Read Next: OAuth for Ajax Applications



 
Related Topics


 

Comments



Post Your Comment:

Members Please Login
Your Name:*
e-mail ID:(required for notification)*
Image Verification: 
 
 Subscribe    

Sponsored Links

 
Learn AJAX  |   Forum  |   Register  |   Submit Resource  |   Submit Article  |   Privacy Policy  |   Contact  |   Site Map
Copyright © 2005 - 2010 AjaxWith.com. All Rights Reserved

Page copy protected against web site content infringement by Copyscape