攻擊者能夠欺騙 DNS。勿將 DNS 名稱作為安全性的依據。
許多 DNS 服務器都很容易被攻擊者欺騙,所以應考慮到某天軟件有可能會在有問題的 DNS 服務器環境下運行。如果允許攻擊者進行 DNS 更新 (有時稱為 DNS cache poisoning),則他們會通過自己的機器路由您的網絡流量,或者讓他們的 IP 地址看上去就在您的域中。勿將系統安全寄托在 DNS 名稱上。
例 1:以下代碼使用 DNS 查找,以確定輸入請求是否來自可信賴的主機。如果攻擊者可以攻擊 DNS 緩存,那么他們就會獲得信任。
struct hostent *hp;
struct in_addr myaddr;
char* tHost = "trustme.trusty.com";
myaddr.s_addr=inet_addr(ip_addr_string);
hp = gethostbyaddr((char *) &myaddr,
sizeof(struct in_addr), AF_INET);
if (hp && !strncmp(hp->h_name, tHost, sizeof(tHost))) {
trusted = true;
} else {
trusted = false;
}
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A3 Broken Authentication and Session Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A3 Broken Authentication and Session Management
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A7 Broken Authentication and Session Management
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3460 CAT I
[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3460 CAT I
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[7] Standards Mapping - FIPS200 - (FISMA) IA
[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[9] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 807
[10] Standards Mapping - SANS Top 25 2011 - (SANS Top 25 2011) Porous Defenses - CWE ID 807
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8