The Tangled Web by Zalewski Michal

Author:Zalewski, Michal [Michal Zalewski]
Language: eng
Format: epub, mobi
Tags: COMPUTERS / Internet / Security
ISBN: 9781593274177
Publisher: No Starch Press
Published: 2011-11-28T16:00:00+00:00

Non-Fully Qualified Hostnames

Many users browse the Web with their DNS resolvers configured to append local suffixes to all found hostnames, often without knowing. Such settings are usually sanctioned by ISPs or employers through automatic network configuration data (Dynamic Host Configuration Protocol, DHCP).

For any user browsing with such a setting, the resolution of DNS labels is ambiguous. For example, if the DNS search path includes coredump.cx, then www.example.com may resolve to the real www.example.com website or to www.example.com.coredump.cx if such a record exists. The outcomes are partly controlled by configuration settings and, to some extent, can be influenced by an attacker.

To the browser, both locations appear to be the same, which may have some interesting side effects. Consider one particularly perverse case: Should http://com, which actually resolves to http://com.coredump.cx/, be able to set *.com cookies by simply omitting the domain parameter?

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.