WebApp Sec mailing list archives
Re: .com. filter bypass
From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 19 Aug 2004 13:02:46 +0200
On Wed, Aug 18, 2004 at 12:05:39PM -0700, RSnake wrote:
"http://www.google.com./" is a valid url in browsers (with the dot at the end).
Because "example.com." is a standard way to represent absolute DNS name - root level domain is a null string hence the dot at the end. Quoting from RFC 1034 - Domain names - concepts and facilities "When a user needs to type a domain name, the length of each label is omitted and the labels are separated by dots ("."). Since a complete domain name ends with the root label, this leads to a printed form which ends in a dot. We use this property to distinguish between: - a character string which represents a complete domain name (often called "absolute"). For example, "poneria.ISI.EDU." - a character string that represents the starting labels of a domain name which is incomplete, and should be completed by local software using knowledge of the local domain (often called "relative"). For example, "poneria" used in the ISI.EDU domain. Relative names are either taken relative to a well known origin, or to a list of domains used as a search list. Relative names appear mostly at the user interface, where their interpretation varies from implementation to implementation, and in master files, where they are relative to a single origin domain name. The most common interpretation uses the root "." as either the single origin or as one of the members of the search list, so a multi-label relative name is often one where the trailing dot has been omitted to save typing."
As a side note, nslookup and traceroute both ignored the trailing period
I wouldn't call that "ignorance" since in fact it actually adds the dot to the end automatically if it is not there already. The thing that is broken is the URL checking filter and I'm sure the original poster probably had this in mind. I just wanted to clear the background. (sorry for the noise) Anyway, this is not a new thing. There also many other schemas for circumventing "web content filters". This one is from the oldest and afaik it does not work against modern filters... Related links: http://nocensor.citizenlab.org/ http://www.usenix.org/publications/library/proceedings/sec02/feamster/feamster_html/ Martin Mačok IT Security Consultant
Current thread:
- .com. filter bypass RSnake (Aug 19)
- Re: .com. filter bypass Martin Mačok (Aug 20)
- Re: .com. filter bypass Chris Ess (Aug 20)
- Re: .com. filter bypass Nigel Stepp (Aug 20)