evil.org?
www.evil.org is at 1.1.1.2.
Please give me/index.html for www.evil.org.
Sure thing boss. (returns the web page with a malicious SWF)
User's browser loads malicious flash plugin who wishes to access temp.evil.org.
Where is temp.evil.org?
temp.evil.org is at 1.1.1.3, but i'm going to change it really soon.
Change DNS entry for temp.evil.org to 192.168.1.1
Can i access you?
Yes. Do anything you please.
Create socket connection to temp.evil.org on port 80
Where is temp.evil.org?
temp.evil.org is at 192.168.1.1.
Attempt to hack this router with default username and passwords, and open the router for Internet wide administration control.
Sure thing boss.
Here is another pwned router.
Sweet! Thanks!
Figure 9-1 Sequence diagram of a DNS rebinding attack
242 Hacking Exposed Web 2.0
SUMMARY
Flash can be used to attack any web application by reflecting cross-domain security
policies. Attackers can also take advantage of improper input validation in Flash applications
to mount XSS attacks on the domain hosting the vulnerable SWF. Automatically
generated SWFs can be created with vulnerable code that could lead to widespread,
universal XSS attacks. Finally, Flash can be used to circumvent firewalls with DNS
rebinding attacks.
Pages:
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421