Dozens of web applications vulnerable to DNS cache poisoning via “forgot password” function


Ben Dickson July 23, 2021 at 11:28 UTC

Updated: July 23, 2021 11:41 UTC

Out of 146 tested, two applications were vulnerable to Kaminsky attacks and 62 to IP fragmentation attacks

Vulnerabilities in the way websites resolve email domains have left many sites open to DNS attacks that can lead to account hijacking, new research shows.

In a study of 146 web applications, Timo Longin, security researcher at SEC Consult, discovered configuration errors that malicious actors could exploit to redirect password reset emails to their own servers.

DNS cache poisoning

Most websites have a “forgot password” feature that sends a message to the user’s email address with a link or one-time passcode to reset their password. password or regain access to their account. The objective of the study was to find out if an attacker could force the application to send these emails to an arbitrary server.

For this to happen, the attacker must perform DNS cache poisoning, where the domain name of the target user (for example, or is resolved to the IP address of a server. that the attacker is controlling.

Learn about the latest DNS security news and analysis

The study focused on two well-known and well-documented attacks. One is known as the “Kaminsky attack”, named after the late security researcher Dan Kaminsky, who first reported it in 2008. The Kaminsky attack takes advantage of the allocation of ports to low entropy in web servers to intercept DNS resolution requests and send spoofed responses.

The second technique, known as an IP fragmentation attack, was first reported in 2013. In this diagram, the attacker takes advantage of the limited size of the server’s response buffer to send malicious packets. .

“In internal security assessments, it is common to exploit the ‘forgot password? functionality of internal web applications to get password reset URLs in emails, ”said Longin The daily sip.

“It’s easy to do in a local area network because malicious attacks can be performed by using ARP impersonation to redirect password reset emails sent by web applications to the attacker. Based on this attack vector, and with the potentially devastating consequences in mind, an attempt has been made to apply this concept to web applications on the Internet.

Malicious DNS responses

Longin analyzed the DNS resolution process of 146 web applications. It has set up its own domain and authoritative DNS server (ADNS) and has developed its own DNS proxy to resolve domain names, as well as a DNS response logging tool.

He then manually registered users on each website using subdomains of his custom domain and recorded responses to the various attack patterns.

After 20 hours of user registration and hundreds of hours of log analysis, he discovered that two applications were vulnerable to Kaminsky attacks and 62 vulnerable to IP fragmentation attacks.

YOU MAY ALSO LIKE Respect and safety: a new infosec campaign aims to eradicate harassment

“DNS attacks via IP fragmentation are probably not as well known as, for example, the Kaminsky attack. I had to take a deep look at this topic to find out that IP fragmentation attacks are one thing, ”said Longin, adding that IP fragmentation attacks are very complex and not that easy to exploit.

He also pointed out that “Most of the time, protection against IP fragmentation attacks is not out of the box. This means that some configuration effort may be required.

A common problem he observed on vulnerable servers was the lack or incorrect configuration of security features such as DNSSEC and DNS cookies. Interestingly, these features have been around for years but continue to be ignored by server administrators.

Protection of web servers

Due to ongoing disclosure and patching processes, SEC Consult has not disclosed the names of vulnerable websites.

While the study includes 146 web applications, many more are likely to be vulnerable, Longinus cautions. Using large DNS providers like Google, Cloudflare, and Cisco can help protect sites as these providers quickly implement security measures.

But a reliable DNS provider is not enough to stop attacks. The DNS resolution process involves many parts and there are many ways things can go wrong.

SEC Consult has released DNS Reset Checker, an open source tool that assesses the security of DNS resolvers for web applications. Longin also suggests using Google’s guidelines and DNS Flag Day to secure DNS resolution processes.

DON’T FORGET TO READ CURL developers attempt to fix information disclosure flaw


Previous What is DNS and should I use a different DNS server?
Next "IPs cannot handle more than 10 cases at a time"