Protecting browsers from DNS rebinding attacks

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2007, Pages 421-431

  Jackson, Collin ^a   Barth, Adam ^a   Bortz, Andrew ^a   Shao, Weidong ^a   Boneh, Dan ^a  

^a STANFORD UNIVERSITY   (United States)

Author keywords

Click fraud; DNS; Firewall; Same origin policy; Spam

Indexed keywords

CLICK FRAUD; IP ADDRESSS; OPEN NETWORK; PLUG-INS; SAME-ORIGIN POLICY;

INTERNET;

INTERNET PROTOCOLS;

EID: 48349084659     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1315245.1315298     Document Type: Conference Paper

References (46)

1. Adobe. Flash Player Penetration. http://www.adobe.com/products/player- census/flashplayer/.
2. Adobe. Adobe flash player 9 security. http://www.adobe.com/devnet/ flashplayer/articles/flash-player-9-securit%ypdf, July 2006.
3. Alexa. Top sites. http://www.alexa.com/site/ds/top-sites?ts-mode=global.
4. K. Anvil. Anti-DNS pinning + socket in flash. http://www.jumperz.net/, 2007.
5. W. Cheswick and S. Bellovin. A DNS filter and switch for packet-filtering gateways. In Proc. Usenix, 1996.
6. N. Chou, R. Ledesma, Y. Teraguchi, and J. Mitchell. Client-side defense against web-based identity theft. In Proc. NDSS, 2004.
7. N. Daswani, M. Stoppelman, et al. The anatomy of Clickbot. A. In Proc. HotBots, 2007.
8. D. Dean, E. W. Felten, and D. S. Wallach. Java security: from HotJava to Netscape and beyond. In IEEE Symposium on Security and Privacy: Oakland, California, May 1996.
9. D. Edwards. Your MOMA knows best, December 2005. http://xooglers. blogspot.com/2005/12/your-moma-knows-best.html.
10. K. Fenzi and D. Wreski. Linux security HOWTO, January 2004.
11. R. Fielding et al. Hypertext Transfer Protocol-HTTP/1.1. RFC 2616, June 1999.
12. D. Fisher, 2007. Personal communication.
13. D. Fisher et al. Problems with new DNS cache ("pinning" forever). https://bugzilla.mozilla.org/show-bug.cgi?id=162871.
14. D. Goodin. Calif. man pleads guilty to felony hacking. Associated Press, Janurary 2005.
15. Google. dnswall. http://code.google.com/p/google-dnswall/.
16. Google. Google Safe Browsing for Firefox, 2005. http://www.google.com/ tools/firefox/safebrowsing/.
17. S. Grimm et al. Setting document.domain doesn't match an implicit parent domain. https://bugzilla.mozilla.org/show-bug.cgi?id=183143.
18. J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside: JavaScript malware just got a lot more dangerous. In Blackhat USA, August 2006. Invited talk.
19. I. Hickson et al. HTML 5 Working Draft. http://www.whatwg.org/specs/web- apps/current-work/.
20. C. Jackson, A. Bortz, D. Boneh, and J. Mitchell. Protecting browser state from web privacy attacks. In Proc. WWW, 2006.
21. M. Johns. (somewhat) breaking the same-origin policy by undermining DNS pinning, August 2006. http://shampoo.antville.org/stories/1451301/.
22. M. Johns and J. Winter. Protecting the Intranet against "JavaScript Malware" and related attacks. In Proc. DIMVA, July 2007.
23. C. K. Karlof, U. Shankar, D. Tygar, and D. Wagner. Dynamic pharming attacks and the locked same-origin policies for web browsers. In Proc. CCS, October 2007.
24. V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proc. CCS, 2006.
25. G. Maone. DNS Spoofing/Pinning. http://sla.ckers.org/forum/read.php?6, 4511, 14500.
26. G. Maone. NoScript. http://noscript.net/.
27. C. Masone, K. Baek, and S. Smith. WSKE: web server key enabled cookies. In Proc. USEC, 2007.
28. A. Megacz. XWT Foundation Security Advisory. http://xwt.org/research/ papers/sop. txt.
29. A. Megacz and D. Meketa. X-RequestOrigin. http://www.xwt.org/x- requestorigin. txt.
30. Microsoft. Microsoft Web Enterprise Portal, January 2004. http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.
31. Microsoft. Microsoft phishing filter: A new approach to building trust in e-commerce content, 2005.
32. P. Mockapetris. Domain Names-Implementation and Specification. IETF RFC 1035, November 1987.
33. C. Nuuja (Adobe), 2007. Personal communication.
34. G. Ollmann. The pharming guide. http://www.ngssoftware.com/papers/ ThePharmingGuidepdf, August 2005.
35. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. Address Allocation for Private Internets. IETF RFC 1918, February 1996.
36. J. Roskind. Attacks against the Netscape browser. In RSA Conference, April 2001. Invited talk.
37. D. Ross. Notes on DNS pinning. http://blogs.msdn.com/dross/archive/2007/ 07/09/notes-on-dns-pinning.asp%x, 2007.
38. J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/ projects/security/components/same-origin.html.
39. Spamhaus. The spamhaus block list, 2007. http://www.spamhaus.org/sbl/.
40. S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming. Technical Report 641, Computer Science, Indiana University, December 2006.
41. J. Topf. HTML Form Protocol Attack, August 2001. http://www.remote.org/ jochen/sec/hfpa/hfpapdf.
42. D. Veditz et al. document.domain abused to access hosts behind firewall. https://bugzilla.mozilla.org/show-bug.cgi?id=154930.
43. W3C. The XMLHttpRequest Object, February 2007. http://www.w3.org/TR/ XMLHttpRequest/.
44. B. Warner. Home PCs rented out in sabotage-for-hire racket. Reuters, July 2004.
45. J. Winter and M. Johns. LocalRodeo: Client-side protection against JavaScript Malware. http://databasement.net/labs/localrodeo/, 2007.
46. M. Wong and W. Schlitt. Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail. IETF RFC 4408, April 2006.