DNS Rebinding Attacks, Multi-Pin Variant 84
Morty writes "DNS rebinding attacks can be used by hostile websites to get browsers to attack behind firewalls, or to attack third parties. Browsers use "pinning" to prevent this, but a paper describes so-called multi-pin vulnerabilities that bypass the existing protections. Note that, from a DNS perspective, this is a "feature" rather than an implementation bug, although it's possible that DNS servers could be modified to prevent external sources from being able to point at internal resources."
We are now checking your browser... (Score:4, Insightful)
But it's true, most people loooove that javascript. I can't stand it, myself, and only enable it when I absolutely have to.
Flashback (Score:5, Insightful)
At times like these, I tell a story about 1988 when I wrote a BBS terminal emulator for the Commodore 64 which cleverly allowed the BBS to send and run new code on the caller's machine. Another gentleman who didn't much like me noticed the feature and arranged for a number of BBS systems to execute the code at location 64738: system reset.
There is no safe way to run complex sandboxed code on a user's PC and no safe way to allow sandboxed code access to the network. Either you trust the source of the program and let it do what it needs to do, or you don't trust it and don't allow it to run on your PC at all. How many of these vulnerabilities are we going to run through before we finally figure that out?
Re:Ask Slashdot: Pause a running Javascript (Score:3, Insightful)
As an example, let's assume that one of those shaky "Your the 999,999th visitor" ads pins the CPU at 100%. Unless you only one web browser window/tab open (if you read
Dual core systems could help... but it won't be long before an SMP process can do the 100% pinning as well.
P.S. If you hear whooshing, you probably want to wear eye/head protection.
caching no problem : (Score:3, Insightful)
2) use a new subdomain for every request
3) ???
4) profit