Home > Security > XSRF^2

XSRF^2

So someone asked me what users should do, to protect themselves against DNS Rebinding attacks.

That’s when I realized it wasn’t completely obvious to people that XSRF is irrelevant as long as DNS Rebinding exists.

XSRF — Cross Site Request Forgery — deals with the concept that random web sites can in fact cause your browser to make arbitrary GET and POST requests. If you have a home router that will respond to these arbitrary GET/POSTs by, for example, changing its DNS server to an arbitrary location, well, it’s now pretty easy for someone to hijack your network connection.

You go to a website, it reconfigures your router. Not good.

Traditionally, XSRF defenses use the fact that a cross-site request can’t have its response read out by script. So if using a router’s web interface depends on pulling some data out from a login page response, the attacker who can cause a browser to make arbitrary requests can’t do anything.

Except, DNS Rebinding means an attacker can read these responses, because the Same Origin Policy that’s supposed to establish this security boundary is easily bypassed by putting both the home router and the attacker server in the same DNS domain.

So, the #1 thing people need to do to protect themselves against DNS Rebinding — set strong passwords on your home router. Not a single device in the field with a weak password can be safe. Every XSRF defense has been defeated. *sighs*

In other news, this entire class of bugs seems to be attached to an ancient law of security: “Simultaneous access to multiple security domains is hard.” We’re trying to do something very difficult with private content on the web, and given the creakiness of something as essential as the Same Origin Policy, I’m becoming increasingly worried that we’re missing some essential infrastructure here.

That being said, so many people are working together on fixing SOP that the inertia from that effort might well drive further goodness. Cool!

Categories: Security
  1. July 8, 2008 at 6:30 pm

    I have two websites. don’t know how to check if there is anything wrong with that.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: