Robert Edmonds wrote: > Both of the attacks described in this document start with luring a > user to navigate to an attacker-controlled URL. If the attacker can > control the entire URL that the user navigates to, then the attacker > can serve malicious content from arbitrary HTTP servers controlled by > the attacker, without needing to publish a polyglot resource via an > intermediate DoH server. > > Are there other kinds of attacks besides luring a user to navigate to an > attacker-controlled URL where publishing the malicious content through a > DoH server is more valuable than serving the malicious content directly > from arbitrary HTTP servers controlled by the attacker? Is there any > additional value beyond obfuscating the source of the attack? >
The attacks do not lure a victim to an attacker controlled URL but to a vulnerable service operated by a third party. Let's use Direct-XSS-over-DoH for an example. Assume you operate some website under the domain "benign.example". You also operate a DoH endpoint under "https://benign.example/dns-query";. The attacker owns the domain "attacker.example" and operates their own authoritative DNS server "ns.attacker.example". The attacker's goal is to deliver malicious web-content in your web-origin (benign.example), which they do not control. So they craft link : L = https://benign.example/dns-query?dns=[Q:IN TXT payload.attacker.example] Q is a DNS query for TXT records associated with payload.attacker.example. The attacker sends this link L, which does point to your server not the attacker's own, to any user logged in on your site (benign.example). The user clicks on that link. Since the HTTP GET request created in response to the click is a valid DoH GET query directed at the benign DoH endpoint (https://benign.example/dns-query), the DoH resolver decodes the content of the GET parameter "dns" and finds a valid query for payload.attacker.example. It starts the resolution process and determines the authority for the zone attacker.example which is ns.attacker.example. It then forwards the query to ns.attacker.example which does respond with an attacker controlled TXT record. This record is an HTML/DNS polyglot and thus a valid DNS response. It also contains malicious JavaScript code. The benign DoH resolver (benign.example) receives this DNS response from the attacker's authoritative server embeds it into a DoH response and sends it back to the client *within its own web origin*, i.e. benign.example. The attacker now has successfully injected content of their choice into benign.example, a third party web-origin that is not under the attacker's control. In particular the attacker can now execute code in the victim web-origin (benign.example) within the context of the logged in user's account. -- Kind regards Matthias Gierlings _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
