Re: [問題]資安弱掃遇到的問題Same site scripting
※ 引述《luckdavid (茶米)》之銘言:
: 標題: [問題]資安弱掃遇到的問題Same site scripting
: 時間: Wed Dec 9 13:11:37 2015
:
: 各位先進大家好,我遇到一個問題解不掉想請大家幫幫忙。
: 以下是弱掃報告:
: Severity:Medium
: Type:Configuration
: Reported by module :Scripting (Subdomain_Takeover.script)
:
: Description:Tavis Ormandy reported a common DNS misconfiguration that can
: result in a minor security issue with web applications. "It's a common
: and sensible practice to install records of the form "localhost.
: IN A 127.0.0.1" into nameserver configurations, bizarrely however,
: administrators often mistakenly drop the trailing dot, introducing an
: interesting variation of Cross-Site Scripting (XSS) I call Same-Site
: Scripting. The missing dot indicates that the record is not fully qualified,
: and thus queries of the form "localhost.example.com" are resolved.
: While superficially this may appear to be harmless, it does in fact allow
: an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same
: origin restrictions, and therefore hijack state management data."
:
: Impact:An attacker can cheat the RFC2109 (HTTP State Management Mechanism)
: same origin restrictions, and therefore hijack state management data.
:
: Recommendation:It is advised that non-FQ localhost entries be removed from
: nameserver configurations for domains that host websites that rely on HTTP
: state management.
:
: 拜託了。。。
:
:
: --
: ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 210.68.37.161
: ※ 文章網址: https://www.ptt.cc/bbs/Web_Design/M.1449637901.A.6BA.html
: 推 LPH66: DNS 設定, 有一個 A 記錄 localhost 應在其後加一個點 12/09 15:42
: → LPH66: 不加的話攻擊者可以用 localhost.example.com 來繞過 12/09 15:43
: → LPH66: example.com 上面的 XSS 限制 12/09 15:44
: → LPH66: 或者就乾脆把這條 A 記錄給拿掉, 這樣 localhost 這個名字 12/09 15:47
: → LPH66: 不經過 DNS 就不會有這個問題 12/09 15:48
: → threeus: 高手在人間 12/10 18:48
請問LPH大或各位先進:
我也遇到同樣的問題,本身對unix系統不太熟,依L大的留言,改了 /etc/hosts檔案
把 127.0.0.1 loopback localhost 這一行加#, 如下
# 127.0.0.1 loopback localhost
但掃完的結果還是一樣,
請問還有那些DNS的設定須要修改?
感謝~
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 111.70.210.111
※ 文章網址: https://www.ptt.cc/bbs/Web_Design/M.1469774330.A.812.html
→
07/29 15:21, , 1F
07/29 15:21, 1F
→
07/29 15:21, , 2F
07/29 15:21, 2F
→
07/29 15:51, , 3F
07/29 15:51, 3F
→
07/29 16:00, , 4F
07/29 16:00, 4F
討論串 (同標題文章)
本文引述了以下文章的的內容:
完整討論串 (本文為第 2 之 2 篇):