Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: .com. filter bypass

from [Martin Mačok] Network Security [Permanent Link]
Subject: Re: .com. filter bypass
Date: Thu, 19 Aug 2004 13:02:46 +0200 
On Wed, Aug 18, 2004 at 12:05:39PM -0700, RSnake wrote:


"http://www.google.com./"; is a valid url in browsers (with the dot
at the end).


Because "example.com." is a standard way to represent absolute DNS
name - root level domain is a null string hence the dot at the end.

Quoting from RFC 1034 - Domain names - concepts and facilities

"When a user needs to type a domain name, the length of each label is
 omitted and the labels are separated by dots (".").  Since a complete
 domain name ends with the root label, this leads to a printed form
 which ends in a dot.  We use this property to distinguish between:

   - a character string which represents a complete domain name
     (often called "absolute").  For example, "poneria.ISI.EDU."

   - a character string that represents the starting labels of a
     domain name which is incomplete, and should be completed by
     local software using knowledge of the local domain (often
     called "relative").  For example, "poneria" used in the
     ISI.EDU domain.

 Relative names are either taken relative to a well known origin, or
 to a list of domains used as a search list.  Relative names appear
 mostly at the user interface, where their interpretation varies from
 implementation to implementation, and in master files, where they are
 relative to a single origin domain name.  The most common
 interpretation uses the root "." as either the single origin or as
 one of the members of the search list, so a multi-label relative name
 is often one where the trailing dot has been omitted to save typing."


As a side note, nslookup and traceroute both ignored the trailing
period


I wouldn't call that "ignorance" since in fact it actually adds the
dot to the end automatically if it is not there already.

The thing that is broken is the URL checking filter and I'm sure the
original poster probably had this in mind. I just wanted to clear the
background. (sorry for the noise) 

Anyway, this is not a new thing. There also many other schemas for
circumventing "web content filters". This one is from the oldest and
afaik it does not work against modern filters...

Related links:
http://nocensor.citizenlab.org/
http://www.usenix.org/publications/library/proceedings/sec02/feamster/feamster_html/

Martin Mačok
IT Security Consultant
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Recent App Test, Adam Tuliper
Next by Date:  RE: Securing through the IIS web server domain logon, Michael Silk
Previous by Thread:  .com. filter bypass, RSnake
Next by Thread:  Re: .com. filter bypass, Chris Ess
Indexes:  [Date] [Thread] [Top] [All Lists]