|
|
 |
| New User, Welcome! Login |
Re: Administrivia: Real domain names in PoC/exploit examples
| From: |
dm securityfocus com |
| To: |
Nate Eldredge <nate thatsmathematics com> |
| Cc: |
bugtraq securityfocus com |
| Subject: |
Re: Administrivia: Real domain names in PoC/exploit examples |
| Date: |
Fri - May 28, 2010 09:55 AM |
On Fri, May 28, 2010 at 08:38:57AM -0700, Nate Eldredge wrote:
> On Fri, 28 May 2010, dm@securityfocus.com wrote:
>
> >And this is the sort of thing that would be appropriate:
> >- www.example.com (this is really the best way to go)
>
> Except that www.example.com, while reserved according to RFC 2606,
> actually resolves to a host with a web server (running, interestingly,
> Apache 2.2.3 from circa 2006), which gives you a page telling you about
> RFC 2606. It appears to be run by the IANA. So it might be polite not to
> use this, so as not to attack the IANA by mistake.
>
> Better would be the reserved TLDs from RFC 2606, which AFAIK should never
> resolve at all: *.test, *.example, and *.invalid. Unfortunately,
> "www.foo.example" is less obviously a host name compared to
> "www.example.com".
>
> >- Some other place-holder that is not a valid domain such as <victim>,
> >etc.
>
> That works too.
>
> --
Okay, agreed. Let us not abuse IANA's poor little Apache 2.2.3
server.
So, to sum up, these guys are good for exploit/PoC examples:
1. Place-holder such as <victim>.
2. Reserved TLDs from RFC 2606 such as *.test, *.example, and
*.invalid.
--
Dave McKinney
Symantec
keyID: E461AE4E
key fingerprint = F1FC 9073 09FA F0C7 500D D7EB E985 FAF3 E461 AE4E
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
