※ 引述《luckdavid (茶米)》之铭言:
: 标题: [问题]资安弱扫遇到的问题Same site scripting
: 时间: Wed Dec 9 13:11:37 2015
:
: 各位先进大家好,我遇到一个问题解不掉想请大家帮帮忙。
: 以下是弱扫报告:
: Severity:Medium
: Type:Configuration
: Reported by module :Scripting (Subdomain_Takeover.script)
:
: Description:Tavis Ormandy reported a common DNS misconfiguration that can
: result in a minor security issue with web applications. "It's a common
: and sensible practice to install records of the form "localhost.
: IN A 127.0.0.1" into nameserver configurations, bizarrely however,
: administrators often mistakenly drop the trailing dot, introducing an
: interesting variation of Cross-Site Scripting (XSS) I call Same-Site
: Scripting. The missing dot indicates that the record is not fully qualified,
: and thus queries of the form "localhost.example.com" are resolved.
: While superficially this may appear to be harmless, it does in fact allow
: an attacker to cheat the RFC2109 (HTTP State Management Mechanism) same
: origin restrictions, and therefore hijack state management data."
:
: Impact:An attacker can cheat the RFC2109 (HTTP State Management Mechanism)
: same origin restrictions, and therefore hijack state management data.
:
: Recommendation:It is advised that non-FQ localhost entries be removed from
: nameserver configurations for domains that host websites that rely on HTTP
: state management.
:
: 拜托了。。。
:
:
: