Since DNS names can be easily spoofed or misreported, and it may be difficult for the product to detect if a trusted DNS server has been compromised, DNS names do not constitute a valid authentication mechanism.
When the product performs a reverse DNS resolution for an IP address, if an attacker controls the DNS server for that IP address, then the attacker can cause the server to return an arbitrary hostname. As a result, the attacker may be able to bypass authentication, cause the wrong hostname to be recorded in log files to hide activities, or perform other attacks.
Attackers can spoof DNS names by either (1) compromising a DNS server and modifying its records (sometimes called DNS cache poisoning), or (2) having legitimate control over a DNS server associated with their IP address.
Scope | Impact | Likelihood |
---|---|---|
Access Control | Gain Privileges or Assume Identity, Bypass Protection Mechanism Note: Malicious users can fake authentication information by providing false DNS information. |
Reference | Description |
---|---|
Does not do double-reverse lookup to prevent DNS spoofing. | |
Does not verify reverse-resolved hostnames in DNS. | |
Authentication bypass using spoofed reverse-resolved DNS hostnames. | |
Authentication bypass using spoofed reverse-resolved DNS hostnames. | |
Filter does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing. | |
Reverse DNS lookup used to spoof trusted content in intermediary. | |
Product records the reverse DNS name of a visitor in the logs, allowing spoofing and resultant XSS. |
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-142 | DNS Cache Poisoning A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack. |
CAPEC-275 | DNS Rebinding An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary. |
CAPEC-73 | User-Controlled Filename An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities. |
CAPEC-89 | Pharming A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed. |
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
PLOVER | Draft 3 |
Name | Organization | Date | Comment |
---|---|---|---|
Sean Eidemiller | Cigital | added/updated demonstrative examples | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Potential_Mitigations | |
CWE Content Team | MITRE | updated Common_Consequences | |
CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | |
CWE Content Team | MITRE | CWE-247 and CWE-292 deprecated and merged into CWE-350 to address duplicates. | |
CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Type | |
CWE Content Team | MITRE | updated Description, Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Related_Attack_Patterns | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Relationships | |
CWE Content Team | MITRE | updated References, Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Description | |
CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes |