WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: .com. filter bypass

From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 19 Aug 2004 13:02:46 +0200
On Wed, Aug 18, 2004 at 12:05:39PM -0700, RSnake wrote:


"http://www.google.com./"; is a valid url in browsers (with the dot
at the end).


Because "example.com." is a standard way to represent absolute DNS
name - root level domain is a null string hence the dot at the end.

Quoting from RFC 1034 - Domain names - concepts and facilities

"When a user needs to type a domain name, the length of each label is
 omitted and the labels are separated by dots (".").  Since a complete
 domain name ends with the root label, this leads to a printed form
 which ends in a dot.  We use this property to distinguish between:

   - a character string which represents a complete domain name
     (often called "absolute").  For example, "poneria.ISI.EDU."

   - a character string that represents the starting labels of a
     domain name which is incomplete, and should be completed by
     local software using knowledge of the local domain (often
     called "relative").  For example, "poneria" used in the
     ISI.EDU domain.

 Relative names are either taken relative to a well known origin, or
 to a list of domains used as a search list.  Relative names appear
 mostly at the user interface, where their interpretation varies from
 implementation to implementation, and in master files, where they are
 relative to a single origin domain name.  The most common
 interpretation uses the root "." as either the single origin or as
 one of the members of the search list, so a multi-label relative name
 is often one where the trailing dot has been omitted to save typing."


As a side note, nslookup and traceroute both ignored the trailing
period


I wouldn't call that "ignorance" since in fact it actually adds the
dot to the end automatically if it is not there already.

The thing that is broken is the URL checking filter and I'm sure the
original poster probably had this in mind. I just wanted to clear the
background. (sorry for the noise) 

Anyway, this is not a new thing. There also many other schemas for
circumventing "web content filters". This one is from the oldest and
afaik it does not work against modern filters...

Related links:
http://nocensor.citizenlab.org/
http://www.usenix.org/publications/library/proceedings/sec02/feamster/feamster_html/

Martin Mačok
IT Security Consultant
Previous By Date Next
Previous By Thread Next

Current thread: