Vulnerable HTTP(S) requests in domain name collision environment

In a domain name collision environment, a domain name is used in both a private network and the public network that uses Domain Name System (DNS) of the Internet. This can lead to a situation where a malicious actor at public network intercept and manipulate HTTP as well as HTTPS requests that are intended for a private network resource.

Those are the typical HTTP(S) requests that can be observed on public network side (anonymized some real names):

  1. WPAD:
    /wpad.dat
  2. FileShares (WebDAV):
    /ComputerA/Shares/document.docx
    /ComputerB/MyWork/spreadsheet.xlsx
    /ServerB/TeamShare/TeamOnenote
  3. LoginPages :
    /Citrix/XenApp/auth/login.aspx (Citrix)
    /Orion/Login.aspx (SolarWinds)
    /global-protect/prelogin.esp (PaloAlto)
    /maximo/webclient/login/login.jsp (IBM)
  4. Executable Files:
    /officescan/cgi/cgiLog.exe
    /it/Apps/WinSetup.exe
    /install/Admin/ProxySetup.exe
  5. ActiveDirectory Objects:
    /sysvol/AD/Policies/Screensave_wallpaper.bat
    /netlogon/ifmember.exe
    /ADDC/GPO-Files/Antivirus/msiinstaller.msi

Malicious actors can always intercept these object requests and spoof the responses to conduct catastrophic attacks. For instance, simply placing a ransomware executable at one of the ‘exe’ executable file paths can damage private networks, or creating a phishing logon page that records login attempts in plaintext can compromise user credentials. Additionally, intercepting further HTTP(S) communications is possible by exploiting the WPAD vulnerability, which is explained in detail in another article.

Reference : [JAS Advisors. (2017). Introducing: The ORDINAL Dataset. https://www.icann.org/en/system/files/files/presentation-ordinal-datasets-colliding-domains-13may17-en.pdf]