Publication

Back to overview

Stopping DNS Rebinding Attacks in the Browser

Type of publication Peer-reviewed
Publikationsform Proceedings (peer-reviewed)
Author Hazhirpasand Mohammadreza, Ale Ebrahim Arash, Nierstrasz Oscar,
Project Agile Software Assistance
Show all

Proceedings (peer-reviewed)

Title of proceedings Proceedings of the 7th International Conference on Information Systems Security and Privacy - ICISSP
DOI 10.5220/0010310705960603

Open Access

URL http://scg.unibe.ch/archive/papers/Hazh21a.pdf
Type of Open Access Repository (Green Open Access)

Abstract

DNS rebinding attacks circumvent the same-origin policy of browsers and severely jeopardize user privacy. Although recent studies have shown that DNS rebinding attacks pose severe security threats to users, up to now little effort has been spent to assess the effectiveness of known solutions to prevent such attacks. We have carried out such a study to assess the protective measures proposed in prior studies. We found that none of the recommended techniques can entirely halt this attack due to various factors, e.g., network layer encryption renders packet inspection infeasible. Examining the previous problematic factors, we realize that a protective measure must be implemented at the browser-level. Therefore, we propose a defensive measure, a browser plug-in called Fail-rebind, that can detect, inform, and protect users in the event of an attack. Afterwards, we discuss the merits and limitations of our method compared to prior methods. Our findings suggest that Fail-rebind does not nec essitate expert knowledge, works on different OSes and smart devices, and is independent of networks and location.
-