BigBison
August 2nd, 2007, 04:28
Summary: While there’s no way to protect browsers against the DNS rebinding attack, you can protect web sites and web services by forcing them to check the HTTP Host header with every request. This is easy to do for RESTful services going through a regular web server like Apache — you get it by default with virtual hosts — but might be trickier for WS-* services.
http://www.megginson.com/blogs/quoderat/2007/08/01/protecting-web-sites-and-services-from-dns-rebinding-attacks/
Just when I'm trying to figure out how to use OpenID without running into cookie problems, this comes along and exposes yet another problem with cookie-based authentication that does not exist with HTTP authentication (you know, the popup login box).
http://www.megginson.com/blogs/quoderat/2007/08/01/protecting-web-sites-and-services-from-dns-rebinding-attacks/
Just when I'm trying to figure out how to use OpenID without running into cookie problems, this comes along and exposes yet another problem with cookie-based authentication that does not exist with HTTP authentication (you know, the popup login box).