Re: [問題]資安弱掃遇到的問題Same site scripting

看板Web_Design作者gigajan時間7年前 (2016/07/29 14:38)推噓0(0推 0噓 4→)

留言4則, 2人參與討論串2/2 (看更多)

※ 引述《luckdavid (茶米)》之銘言： : 標題: [問題]資安弱掃遇到的問題Same site scripting : 時間: Wed Dec 9 13:11:37 2015 : : 各位先進大家好，我遇到一個問題解不掉想請大家幫幫忙。 : 以下是弱掃報告： : Severity：Medium : Type：Configuration : Reported by module ：Scripting (Subdomain_Takeover.script) : : Description：Tavis Ormandy reported a common DNS misconfiguration that can : result in a minor security issue with web applications. "It's a common : and sensible practice to install records of the form "localhost. : IN A 127.0.0.1" into nameserver configurations, bizarrely however, : administrators often mistakenly drop the trailing dot, introducing an : interesting variation of Cross-Site Scripting (XSS) I call Same-Site : Scripting. The missing dot indicates that the record is not fully qualified, : and thus queries of the form "localhost.example.com" are resolved. : While superficially this may appear to be harmless, it does in fact allow : an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same : origin restrictions, and therefore hijack state management data." : : Impact：An attacker can cheat the RFC2109 (HTTP State Management Mechanism) : same origin restrictions, and therefore hijack state management data. : : Recommendation：It is advised that non-FQ localhost entries be removed from : nameserver configurations for domains that host websites that rely on HTTP : state management. : : 拜託了。。。 : : : -- : ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 210.68.37.161 : ※ 文章網址: https://www.ptt.cc/bbs/Web_Design/M.1449637901.A.6BA.html : 推 LPH66: DNS 設定, 有一個 A 記錄 localhost 應在其後加一個點 12/09 15:42 : → LPH66: 不加的話攻擊者可以用 localhost.example.com 來繞過 12/09 15:43 : → LPH66: example.com 上面的 XSS 限制 12/09 15:44 : → LPH66: 或者就乾脆把這條 A 記錄給拿掉, 這樣 localhost 這個名字 12/09 15:47 : → LPH66: 不經過 DNS 就不會有這個問題 12/09 15:48 : → threeus: 高手在人間 12/10 18:48 請問LPH大或各位先進: 我也遇到同樣的問題,本身對unix系統不太熟,依L大的留言,改了 /etc/hosts檔案把 127.0.0.1 loopback localhost 這一行加#, 如下 # 127.0.0.1 loopback localhost 但掃完的結果還是一樣, 請問還有那些DNS的設定須要修改? 感謝~ -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 111.70.210.111 ※ 文章網址: https://www.ptt.cc/bbs/Web_Design/M.1469774330.A.812.html

→

dinos

07/29 15:21, , 1^F

07/29 15:21, 1^F

→

dinos

07/29 15:21, , 2^F

07/29 15:21, 2^F

→

gigajan

07/29 15:51, , 3^F

07/29 15:51, 3^F