[問題]資安弱掃遇到的問題Same site scripting
各位先進大家好,我遇到一個問題解不掉想請大家幫幫忙。
以下是弱掃報告:
Severity:Medium
Type:Configuration
Reported by module :Scripting (Subdomain_Takeover.script)
Description:Tavis Ormandy reported a common DNS misconfiguration that can
result in a minor security issue with web applications. "It's a common
and sensible practice to install records of the form "localhost.
IN A 127.0.0.1" into nameserver configurations, bizarrely however,
administrators often mistakenly drop the trailing dot, introducing an
interesting variation of Cross-Site Scripting (XSS) I call Same-Site
Scripting. The missing dot indicates that the record is not fully qualified,
and thus queries of the form "localhost.example.com" are resolved.
While superficially this may appear to be harmless, it does in fact allow
an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same
origin restrictions, and therefore hijack state management data."
Impact:An attacker can cheat the RFC2109 (HTTP State Management Mechanism)
same origin restrictions, and therefore hijack state management data.
Recommendation:It is advised that non-FQ localhost entries be removed from
nameserver configurations for domains that host websites that rely on HTTP
state management.
拜託了。。。
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 210.68.37.161
※ 文章網址: https://www.ptt.cc/bbs/Web_Design/M.1449637901.A.6BA.html
推
12/09 15:42, , 1F
12/09 15:42, 1F
→
12/09 15:43, , 2F
12/09 15:43, 2F
→
12/09 15:44, , 3F
12/09 15:44, 3F
→
12/09 15:47, , 4F
12/09 15:47, 4F
→
12/09 15:48, , 5F
12/09 15:48, 5F
→
12/10 18:48, , 6F
12/10 18:48, 6F
討論串 (同標題文章)
以下文章回應了本文:
完整討論串 (本文為第 1 之 2 篇):
Web_Design 近期熱門文章
PTT數位生活區 即時熱門文章
