Host header cannot be trusted as an anti anti
DNS-pinning measure
Anti DNS-pinning texts ([1], [2], [3]) typically
mention that the Host header of the HTTP request is
different than the "real" domain name/host name of the
site. As such, a suggested security measure against
anti DNS-pinning described in those texts is simply
for the target site to verify that the HTTP Host
header contains the expected value.
However, this measure fails to take into consideration
the unfortunate fact that the Host header is shown to
be forgable in various ways, e.g. via XmlHttpRequest
(as hinted in [4] and [5]) and through Flash ([6]).
Note that since the origin page is in the same
"domain" as the target URL, XmlHttpRequest can indeed
be used; likewise, Flash will provide a page that is
accessible from the same domain.
As such, monitoring the Host header to avoid anti
DNS-pinning is not a reliable method.
-Amit Klein
References
==========
[1] "DNS: Spoofing and Pinning", Mohammad A. Haque,
September 12th, 2003 (or earlier)
http://viper.haque.net/~timeless/blog/11/
[2] "(somewhat) breaking the same-origin policy by
undermining dns-pinning", Martin Johns, BugTraq
posting, August 14th, 2006
http://www.securityfocus.com/archive/1/443209
[3] "Re: [WEB SECURITY] Detecting, Analyzing, and
Exploiting Intranet Applications using JavaScript",
Amit Klein, WebSecurity posting, July 28th, 2006
http://www.webappsec.org/lists/websecurity/archive/2006-
07/msg00090.html
[4] "Exploiting the XmlHttpRequest object in IE -
Referrer spoofing, and a lot more...", Amit Klein,
BugTraq posting, September 24th, 2005
http://www.securityfocus.com/archive/1/411585
[5] "Round-up: Ways to bypass HttpOnly (and HTTP Basic
auth)", Amit Klein, WebSecurity posting, May 3rd, 2006
http://www.webappsec.org/lists/websecurity/archive/2006-
05/msg00025.html
[6] "Forging HTTP request headers with Flash", Amit
Klein, BugTraq posting, July 24th, 2006
http://www.securityfocus.com/archive/1/441014
