Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Bitsquatting classification to VRT #82

Closed
csimas1 opened this issue Sep 5, 2017 · 0 comments
Closed

Add Bitsquatting classification to VRT #82

csimas1 opened this issue Sep 5, 2017 · 0 comments
Labels
enhancement
Milestone
v1.3

Comments

@csimas1
Copy link
Contributor

csimas1 commented Sep 5, 2017
edited
Loading

Description

Bitsquatting refers to the act of registering domains that are 1-bit off from a legitimate domain in order to capture traffic destined for that domain. But due to corruption an alternate domain is requested instead. A good example of corruption would be an error due to overheating which could cause components to misfire and a single bit to change from a 1 -> 0 or 0 -> 1. For example a victim intending to request bugcrowd.com, may instead request to bugcrows.com or bzgcrowd.com.

Causes

Errors caused by component misfiring can be due to overheating, manufacturing defects or electrical problems. In 2015 it was reported that Google's Belgium data center would reach temperatures of 95 degrees during peak hours. Source: https://www.defcon.org/images/defcon-21/dc-21-presentations/Stucke/DEFCON-21-Stucke-DNS-Hazards-Updated.pdf

Attackers are not limited to most popular domains, they can purchase variants of lesser known but widely requested domains such as those made in background of the request/response lifecycle.

Risks

A victim requests bugcrowd.com but due to a bit-error makes a request to mugcrowd.com. An attacker owns mugcrowd.com and could return anything he wanted to the victim (e.g. Javascript, Malware, Ads).

Bitsquatting can lead to DNS Cache poisoning if the attackers IP address is cached.

Attacker will be able to see client side request headers and parameter/value pairs

Classification

Server Security Misconfiguration -> Bitsquatting (P5)

I'm proposing P5 because, from a bug bounty perspective anything higher is sure to result in reports for domains 1-bit away from the intended domain. Since backend protections exist, demonstrating anything other than a full exploit doesn't prove a company is at risk. If a researcher provides strong evidence of full exploitation, that would easily be a P1, but I'm unsure how that could be communicated via VRT.

Mitigation

The easiest way to stop bitsquatting is to register all available variants of a domain. Since Bitsquatting requires a very high number of requests, it’s only a feasible attack on domains receiving several hundreds of thousands of requests per day. Companies with such high traffic are more likely able to afford this purchase.

ECC - Error Correcting Code is a method of detecting and correcting single-bit memory errors


CRC - Cyclic Redundancy Checks is error detecting code running on a network. All incoming code is flagged and before being used is checked against the internal code. If an error is detected, the code is flagged to and reviewed by a network admin
@csimas1 csimas1 added this to the v1.3 milestone Sep 5, 2017
@csimas1 csimas1 mentioned this issue Sep 21, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
v1.3
Development

No branches or pull requests
1 participant
@csimas1