Same-Site Scripting: The Lesser-Known Vulnerability

February 9, 2016 | Views: 10620

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi Readers,

It’s quite possible that a sub-domain has a “loop back” address, i.e. 127.0.0.1. Many security researchers and developers may not be aware of this lesser-known vulnerability.

Imagine a scenario where a user has to access “subdomain.example.com”. If the sub domain is configured with address 127.0.0.1 and, if the user is already running a service on their localhost (Eg. Xamp/Wamp server running), he/she will obviously be redirected to the localhost services. He/she will never be able to visit “subdomain.example.com” unless the user has stopped the services on the localhost.

 

Run a Simple Test

Simply send a ping request to the sub domain to find the IP address:

ping subdomain.example.com

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Many organization have the DNS misconfigured with the address 127.0.0.1 (but, we won’t disclose all those websites). We will share that the famous Bug Bounty Program, HackerOne, had this issue. They were notified by a security researcher and fixed the vulnerability.

 

Let’s Fix the Issue

1. Change the IP address from 127.0.0.1 to a random address.

2. Simply remove the sub-domain entry if it’s not needed.

 

Regards,

Vinoth kumar

Security Researcher

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
12 Comments
  1. Is it the vulnerability known as DNS Rebinding?

  2. hey guys
    if anyone has a c++ / java code for measuring distance of a moving object, please help me out asap.

  3. Disabling the ICMP service is a good start, coz the ping wouldn’t elicit a response even when the server is on and the subdomain exists.. if the ping has to send back a reply, for some reason, then by all means disabling the subdomain has to be the first thing the admin does, post installation of the webserver 🙂

  4. I have a question, could the admin simply not just configure the service running on 127.0.0.1 so that it knows what directory to display for the domain asked for?

    A great example is Apache and it’s Named Based Virtual Hosts.
    Or… am i missing something here? :p

    Any who thanks for the info.

Page 1 of 3123»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel