Same Site Scripting is type of vulnerability that is caused by common DNS misconfiguration. But before we dive deep into concepts, let’s make sure we have basic understanding of how Internet works.
Working of the web :
When you try to visit website, your browser communicates with web server where that website’s hosted by using IP (internet protocol). IP uses IP addresses to access these servers.
Here’s basic interpretation of how process of visiting website works as following
- You try to visit target.com.
- The browser uses DNS (Domain Name System) to translate “target.com” to it’s IP address, let’s say “184.108.40.206”.
- Contents of “target.com” are shown on your browser.
DNS Misconfiguration :
Let’s look at what we mean by DNS Misconfiguration. In the example above, if DNS server returns wrong IP address like 220.127.116.11 instead of 18.104.22.168, browser successfully visits 22.214.171.124. Now, if malicious website is hosted at 126.96.36.199, victim can be potentially harmed in lot of ways. This is problem if TLS (Transport Layer Security) isn’t used to connect to 188.8.131.52. If TLS is used, on other hand, browser rejects connection attempt to 184.108.40.206 because it doesn’t have private key that matches target.com’s certificate.
Same Site Scripting :
A common practice while configuring nameservers is to install records of following type.
localhost. IN A 127.0.0.1
A mistake, which seems harmless, is to leave off trailing dot at the end. Server parses configuration file in way that localhost is interpreted as hostname within the current domain, instead of domain in itself. What this means is that if you try to use ping command for localhost.target.com, query will resolve.
This introduces the vulnerability called Same Site Scripting, which is variant of Cross-Site Scripting (XSS). Since dot isn’t present at the end of URL, it indicates that record is not fully qualified. Thus, queries of form “localhost.target.com” are resolved.
So basically, loopback address (which simply means “myself” to computers) is assigned to this routable address for localhost.target.com. Hence, when you try to connect to this loopback address, you’ll be connected to machine which is sending message.
when you try to visit localhost.target.com, and if you have service running on your localhost (like WAMP server, etc.) you’ll be redirected to that, and won’t be able to visit subdomain.
This is not high severity vulnerability like XSS, as to exploit this, an attacker needs to be on same machine as you are. If they’re not, they can’t open network port over which, they can serve HTTP traffic to your browser from local machine.
Attack Scenario :
This DNS misconfiguration makes victims susceptible to attacks if they’re using multi-user systems.
- On shared UNIX system, an attacker listens on an unprivileged port and then uses typical XSS attack vector(eg. img src = …) to lure victim into requesting “http://localhost.target.com:1024/cutedogs.gif”.
- The response shown to victim, when he tries to visit above-mentioned URL is something like “Failed to load image”.
- In the background, however, request is logged.
How to avoid Same Site Scripting as an administrator :
- Non-FQ localhost entries should be removed from nameserver configurations for domains that host websites that rely on HTTP State Management.
- Additionally, those practicing Blackhole Routing via DNS to mitigate denial of service (DOS) attacks against specific hostnames should avoid the temptation to resolve targets to 127.0.0.1 or similar addresses for sensitive domains.