Black Hat Briefings, Usa 2007 [audio] Presentations From The Security Conference.

Cross Site Scripting has received much attention over the last several years, although some of its more ominous implications have not received much attention. Anti-DNS pinning is a relatively new threat that, while not well understood by most security professionals, is far from theoretical. This presentation will focus on a live demonstration of anti-DNS pinning techniques. A victim web browser will be used to execute arbitrary, interactive HTTP requests to any server, completely bypassing perimeter firewalls. This is NOT a Jickto knockoff. Jickto relies on using a proxy or caching site like Google to place both sites in the same domain. This does not allow for full interaction with dynamic pages, or any interaction with internal web sites. This demonstration allows full interaction with arbitrary web servers in the intranet environment. No browser bugs or plug-ins are required to accomplish this, only JavaScript. The presenter will demonstrate an automated attack process that provides an HTTP proxy ser