Host header cannot be trusted as an anti anti DNS-pinning measure Anti DNS-pinning texts ([1], [2], [3]) typically mention that the Host header of the HTTP request is different than the "real" domain name/host name of the site. As such, a suggested security measure against anti DNS-pinning described in those texts is simply for the target site to verify that the HTTP Host header contains the expected value. However, this measure fails to take into consideration the unfortunate fact that the Host header is shown to be forgable in various ways, e.g. via XmlHttpRequest (as hinted in [4] and [5]) and through Flash ([6]). Note that since the origin page is in the same "domain" as the target URL, XmlHttpRequest can indeed be used; likewise, Flash will provide a page that is accessible from the same domain. As such, monitoring the Host header to avoid anti DNS-pinning is not a reliable method. -Amit Klein References ========== [1] "DNS: Spoofing and Pinning", Mohammad A. Haque, September 12th, 2003 (or earlier) http://viper.haque.net/~timeless/blog/11/ [2] "(somewhat) breaking the same-origin policy by undermining dns-pinning", Martin Johns, BugTraq posting, August 14th, 2006 http://www.securityfocus.com/archive/1/443209 [3] "Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript", Amit Klein, WebSecurity posting, July 28th, 2006 http://www.webappsec.org/lists/websecurity/archive/2006- 07/msg00090.html [4] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more...", Amit Klein, BugTraq posting, September 24th, 2005 http://www.securityfocus.com/archive/1/411585 [5] "Round-up: Ways to bypass HttpOnly (and HTTP Basic auth)", Amit Klein, WebSecurity posting, May 3rd, 2006 http://www.webappsec.org/lists/websecurity/archive/2006- 05/msg00025.html [6] "Forging HTTP request headers with Flash", Amit Klein, BugTraq posting, July 24th, 2006 http://www.securityfocus.com/archive/1/441014
