攻擊者能夠欺騙 DNS。勿將 DNS 名稱作為安全性的依據。
許多 DNS 服務器都很容易被攻擊者欺騙,所以應考慮到某天軟件有可能會在有問題的 DNS 服務器環境下運行。如果允許攻擊者進行 DNS 更新 (有時稱為 DNS cache poisoning),則他們會通過自己的機器路由您的網絡流量,或者讓他們的 IP 地址看上去就在您的域中。勿將系統安全寄托在 DNS 名稱上。
例:以下代碼使用 DNS 查找,以確定輸入請求是否來自可信賴的主機。如果攻擊者可以攻擊 DNS 緩存,那么他們就會獲得信任。
String ip = request.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
if (addr.getCanonicalHostName().endsWith("trustme.com")) {
trusted = true;
}
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A3 Broken Authentication and Session Management
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A3 Broken Authentication and Session Management
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A7 Broken Authentication and Session Management
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3460 CAT I
[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3460 CAT I
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[7] Standards Mapping - FIPS200 - (FISMA) IA
[8] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[9] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 807
[10] Standards Mapping - SANS Top 25 2011 - (SANS Top 25 2011) Porous Defenses - CWE ID 807
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.3
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.7
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8