2

for example, assume I have edited the hosts file with the following line:

127.0.0.1 malicious-site.com

if I happen to have installed a browser developed by people who owns this malicious website. When I accidentally load a webpage which has a malicious javascript from malicious-site.com, will this browser be able to circumvent the hosts file and still loads that javascript?

EDIT: OK I see this attack model is not very sane, let's imagine a browser exploit in a neutral browser instead.

EDIT: Somehow I discovered that in Chrome/Chromium the browser would not honor hosts under certain circumstances (such as when configured to use a proxy). that's causing the irregular behavior.

Sajuuk
  • 271
  • 3
  • 11
  • 3
    If they install a malicious browser on your computer I think problems are far greater. They can rewrite the host file or ignore it by doing their own DNS resolution. – Silver Aug 17 '17 at 14:13
  • so you are saying dns resolution was not mandatory by the operating system? – Sajuuk Aug 17 '17 at 14:41
  • 1
    A browser developed by malicious actors poses far greater problems than bypassing DNS resolution. But to answer your question, DNS resolution can be bypassed by accessing the website directly using the IP instead of the DNS name. So the browser could implement its own DNS resolution and call the server via the IP. If it uses the DNS name, it will probably get resolved by the host files, DNS cache, DNS server, etc. Not sure if there are flags to ignore the host file in such a case. Why do you want to know? – Silver Aug 17 '17 at 15:00
  • but for many website your need the domain name to access the webserver which is bind to a virtualhost. assume the malicious website use this to maximize their resource, i.e. host many malicious domain on same ip. – Sajuuk Aug 17 '17 at 15:49

2 Answers2

5

If the browser honours the hosts file, i.e. it either uses the system DNS resolver API or reads the hosts file when doing its own DNS lookup, and the browser itself (or a plugin) is not complicit in the malicious act, then no. This is the case for most browsers; very few would not honour the hosts file.

There is no provision within JavaScript to perform DNS lookups outside the normal browser implementation.

The only way around this would be a browser exploit that gained code execution on your system, at which point the DNS issue would be largely moot.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • yes that was exactly what I intended to say, probably a better title would be: could a browser exploit make the browser circumvent hosts file configuration? – Sajuuk Aug 17 '17 at 15:50
  • 1
    Yes, because a working browser exploit would run code on your system. It can do what it likes at that point. The likelihood of a successful browser exploit on a modern and fully patched browser is fairly low though. – Polynomial Aug 17 '17 at 16:01
4

DNS, in this context, is nothing else than a mapping of names to IP addresses. If you have a host entry saying ::1 example.com then it will contact ::1 whenever an application tries to resolve and contact example.com (unless the application does DNS lookups manually, purposely bypassing the hosts file, but that's not something JavaScript can do from within a normal browser).

If a web page wants to bypass your hosts file, they'll just use the IP address, such as http://[2001:db8::1]/virus.exe.

Luc
  • 31,973
  • 8
  • 71
  • 135
  • in a more secure environment, connect via ip would raise suspicion or cause blockage very fast. a seemingly innocent domain name would not. – Sajuuk Aug 17 '17 at 15:52
  • 1
    @Sajuuk Uh... why would that be the case? _All_ internet traffic is "connect via IP"; the only difference in this case is whether a DNS request happens before the HTTP request. In theory you could detect this with a browser plugin or some tricks with deep packet inspection, but I'm not aware of any system which already flags this sort of behavior as suspicious. – Ajedi32 Aug 17 '17 at 16:43
  • I forgot to mention it usually happens in a HTTP scenario, when you are sending http request but there is only IP address in the header. – Sajuuk Aug 18 '17 at 01:52