※ 引述《luckdavid (茶米)》之銘言:
: 標題: [問題]資安弱掃遇到的問題Same site scripting
: 時間: Wed Dec 9 13:11:37 2015
:
: 各位先進大家好,我遇到一個問題解不掉想請大家幫幫忙。
: 以下是弱掃報告:
: Severity:Medium
: Type:Configuration
: Reported by module :Scripting (Subdomain_Takeover.script)
:
: Description:Tavis Ormandy reported a common DNS misconfiguration that can
: result in a minor security issue with web applications. "It's a common
: and sensible practice to install records of the form "localhost.
: IN A 127.0.0.1" into nameserver configurations, bizarrely however,
: administrators often mistakenly drop the trailing dot, introducing an
: interesting variation of Cross-Site Scripting (XSS) I call Same-Site
: Scripting. The missing dot indicates that the record is not fully qualified,
: and thus queries of the form "localhost.example.com" are resolved.
: While superficially this may appear to be harmless, it does in fact allow
: an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same
: origin restrictions, and therefore hijack state management data."
:
: Impact:An attacker can cheat the RFC2109 (HTTP State Management Mechanism)
: same origin restrictions, and therefore hijack state management data.
:
: Recommendation:It is advised that non-FQ localhost entries be removed from
: nameserver configurations for domains that host websites that rely on HTTP
: state management.
:
: 拜託了。。。
:
:
: