An old trick is rediscovered: anti-dns pinning.
DNS pinning is a technique used in web browsers and such to keep an attacker from changing the DNS entry of a server in mid-session. If they could, an attacker might have you visit their website, then swap the DNS to an internal IP address (such as your home router’s admin webpage). The JavaScript can then make calls back to the same domain name and the browser would allow it even though it’s now talking with a completely different server.
DNS pinning caches the IP addresses and stores them for the entire length of your browsing session. A workaround is to target browsers that cache pages. Get a user to visit an attacker’s web site, then exit the browser. Restart the browser (say a day later, after having shut down the computer and gone to bed) and visit that site again. The cached page loads, but dormant JavaScript is now triggered (based on a timestamp, or maybe a request to see if a specific file exists on the server tied to the domain name used by the attacker).
But now it’s been found that simply requesting a page on a closed port (www.example.com:81) will trigger the browser to re-cache that DNS entry, making this method of attack much easier and faster, to the point that some people have already built applications that will scan the victim’s entire internal network. From there the program might ID a specific server based on unique default files that come with a default install of IIS or Apache, or maybe look at the 404 error page and parse out the name and version of the server. From there it could launch an attack on specific vulnerabilities for that server, or that web application, leading to a compromise of the system. All of this is automated. Running quietly in some hidden iframe while you continue to browse the internet.
It’s a bit complex, but it works. And there isn’t a fix for this and there may never be one. This is part of how JavaScript works. And now this method is being modified to run in ActionScript (Flash) and JAVA applets.
What’s going to happen is more and more people will start to simply not execute JavaScript, JAVA applets, or Flash movies from sites that aren’t trusted. A feat made incredibly simple with the aid of plugins like noscript. This is where you, the web developer, come in.
You have to gain a user’s trust. And you have to do so without your web page executing JavaScript. If your layout relies on JavaScript and simply displays a blank page without it (all-flash websites also included here) then what is there for the user to base their trust? So they don’t, and simply move on.
“2.0” sites are going to get screwed in this whole deal. They’ll either have to rely on word-of-mouth (“no no, that site’s okay”) or users that have blind trust. Perhaps we’ll see people or groups start to maintain “whitelists” – sites that are okay to trust. Maybe something like an RSS feed that’s updated hourly. But then you look at the history of spam blacklists and start to wonder how that’d really work out.
The simplest solution here is to not rely on JavaScript, Flash, or JAVA for your website. The web started in text, perhaps you should keep to tradition. Small bits that enhance a site’s functionality are fine, but nothing that’s critical to allowing access to your content. Then, once the user sees your site is okay, they’ll add you to a trust list and your scripts get executed and the site loads exactly as you want.
What will be really interesting is to see if there’s a backlash. Users might start to realize just how much faster and more efficient their browsers run and better their experience with the site is when all the extra scripty bits are disabled. Perhaps we’ll see a push away from crazy embedded elements and back to a simpler means.
Probably not.