Matthias Gierlings wrote: > we are a team of researchers at Ruhr-University Bochum and University > of Wuppertal who uncovered vulnerabilities in the DNS Queries over > HTTPS Standard (RFC 8484)[1]. Those vulnerabilities enable exploits > against DoH services that inject malicious, attacker controlled > content into web-origins of victim sites. This novel class of > Cross-Site-Scripting (XSS) attacks is called XSS-over-DoH and > consists of: > > (1) *Direct XSS over DoH*, which directly delivers malicious markup > containing JavaScript, that is subsequently rendered and executed > in the origin of a vulnerable DoH server. > (2) *CSP-Bypass over DoH* bypasses strong CSPs > (Content-Security-Policies) and defeats robust browser protection > mechanisms designed to suppress script execution in the face of > markup injection. > > Please refer to the attached document for further details on both > attacks, the associated techniques and their impact on victims.
Both of the attacks described in this document start with luring a user to navigate to an attacker-controlled URL. If the attacker can control the entire URL that the user navigates to, then the attacker can serve malicious content from arbitrary HTTP servers controlled by the attacker, without needing to publish a polyglot resource via an intermediate DoH server. Are there other kinds of attacks besides luring a user to navigate to an attacker-controlled URL where publishing the malicious content through a DoH server is more valuable than serving the malicious content directly from arbitrary HTTP servers controlled by the attacker? Is there any additional value beyond obfuscating the source of the attack? -- Robert Edmonds _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
