Trusting self-reported DNS name

From OWASP
Revision as of 17:44, 13 April 2006 by Jeff Williams (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Overview

The use of self-reported DNS names as authentication is flawed and can easily be spoofed by malicious users.

Consequences

Authentication: Malicious users can fake authentication information by providing false DNS information.

Exposure period

  • Design: Authentication methods are generally chosen during the design phase of development.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

High

Avoidance and mitigation

  • Design: Use other means of identity verification that cannot be simply spoofed.

Discussion

As DNS names can be easily spoofed or mis-reported, they do not constitute a valid authentication mechanism. Alternate methods should be used if the significant authentication is necessary.

In addition, DNS name resolution as authentication would - even if it was a valid means of authentication - imply a trust relationship with the DNS servers used, as well as all of the servers they refer to.

Examples

In C/C++:

sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) {

 memset(msg, 0x0, MAX_MSG);
 clilen = sizeof(cli);
 h=gethostbyname(inet_ntoa(cliAddr.sin_addr));
 if (h->h_name==...)
 n = recvfrom(sd, msg, MAX_MSG, 0,
             (struct sockaddr *) & cli, &clilen);

} In Java:

while(true) {

 DatagramPacket rp=new DatagramPacket(rData,rData.length);
        
 outSock.receive(rp);
 String in = new String(p.getData(),0, rp.getLength());
 InetAddress IPAddress = rp.getAddress();
 int port = rp.getPort();
         
 if ((rp.getHostName()==...) && (in==...)){
   out = secret.getBytes();
   DatagramPacket sp =new DatagramPacket(out,out.length,
     IPAddress, port);
   outSock.send(sp);
 }  

}

Related problems

  • Trusting self-reported IP address
  • Using referrer field for authentication

Categories