[問題]資安弱掃遇到的問題Same site scripting

看板Web_Design作者 (茶米)時間9年前 (2015/12/09 13:11), 編輯推噓1(105)
留言6則, 2人參與, 最新討論串1/2 (看更多)
各位先進大家好,我遇到一個問題解不掉想請大家幫幫忙。 以下是弱掃報告: Severity:Medium Type:Configuration Reported by module :Scripting (Subdomain_Takeover.script) Description:Tavis Ormandy reported a common DNS misconfiguration that can result in a minor security issue with web applications. "It's a common and sensible practice to install records of the form "localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely however, administrators often mistakenly drop the trailing dot, introducing an interesting variation of Cross-Site Scripting (XSS) I call Same-Site Scripting. The missing dot indicates that the record is not fully qualified, and thus queries of the form "localhost.example.com" are resolved. While superficially this may appear to be harmless, it does in fact allow an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same origin restrictions, and therefore hijack state management data." Impact:An attacker can cheat the RFC2109 (HTTP State Management Mechanism) same origin restrictions, and therefore hijack state management data. Recommendation:It is advised that non-FQ localhost entries be removed from nameserver configurations for domains that host websites that rely on HTTP state management. 拜託了。。。 -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 210.68.37.161 ※ 文章網址: https://www.ptt.cc/bbs/Web_Design/M.1449637901.A.6BA.html

12/09 15:42, , 1F
DNS 設定, 有一個 A 記錄 localhost 應在其後加一個點
12/09 15:42, 1F

12/09 15:43, , 2F
不加的話攻擊者可以用 localhost.example.com 來繞過
12/09 15:43, 2F

12/09 15:44, , 3F
example.com 上面的 XSS 限制
12/09 15:44, 3F

12/09 15:47, , 4F
或者就乾脆把這條 A 記錄給拿掉, 這樣 localhost 這個名字
12/09 15:47, 4F

12/09 15:48, , 5F
不經過 DNS 就不會有這個問題
12/09 15:48, 5F

12/10 18:48, , 6F
高手在人間
12/10 18:48, 6F
文章代碼(AID): #1MPxWDQw (Web_Design)
文章代碼(AID): #1MPxWDQw (Web_Design)