Say you have an XXE vuln that lets you make HTTP calls only (SSRF) on a pentest, you know its working only because you see packets over port 80 to a server you control coming from the target system, no data exfil or other fun stuff, so no out put of any kind other then server response times. Not much you can do right? Well while playing around I noticed the response time was long when I looked for domains that don't exist. So I switched to subdomains of good root domains and saw the same delay... That is DNS cache snooping yeah? If so its a newish worthless attack vector kinda I think. At least I have not seen any papers on it so it might be new. What do you think?
No comments:
Post a Comment