Same-Site Scripting: The Lesser-Known Vulnerability - Cybrary

Hi Readers,It's quite possible that a sub-domain has a "loop back" address, i.e. Many security researchers and developers may not be aware of this lesser-known vulnerability.

Imagine a scenario where a user has to access "". If the sub domain is configured with address and, if the user is already running a service on their localhost (Eg. Xamp/Wamp server running), he/she will obviously be redirected to the localhost services. He/she will never be able to visit "" unless the user has stopped the services on the localhost.

Run a Simple Test

Simply send a ping request to the sub domain to find the IP address:


Reply from bytes=32 time<1ms TTL=128

Many organization have the DNS misconfigured with the address (but, we won't disclose all those websites). We will share that the famous Bug Bounty Program, HackerOne, had this issue. They were notified by a security researcher and fixed the vulnerability.

Let's Fix the Issue

1. Change the IP address from to a random address.

2. Simply remove the sub-domain entry if it's not needed.

Regards,Vinoth kumar

Security Researcher

Start learning with Cybrary

Create a free account

Related Posts

All Blogs