On 08/17/2010 04:31 PM, Florian Weimer wrote:
* Bradley Falzon:
Craig Heffner's version of the DNS Rebinding attack, similar to all
DNS Rebinding attacks, requires the DNS Servers to respond with an
Attackers IP Address as well as the Victims IP Address, in a typical
Round Robin fashion. Previous attacks would normally have the Victims
IP Address to be their Private IP.
For which protocols is this supposed to work? Why would a
security-minded web application serve content under a name it knows
cannot be its own?
You're assuming it's an HTTP attack. You can trick flash, java and other
plugins to circumvent the browsers same-origin policy, and do much more
subtle things like sending SMTP email.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
