| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 May 2010 10:10:55 -0600 From: dm@...urityfocus.com To: Nate Eldredge <nate@...tsmathematics.com> Cc: bugtraq@...urityfocus.com Subject: Re: Administrivia: Real domain names in PoC/exploit examples On Fri, May 28, 2010 at 08:38:57AM -0700, Nate Eldredge wrote: > On Fri, 28 May 2010, dm@...urityfocus.com wrote: > > >And this is the sort of thing that would be appropriate: > >- www.example.com (this is really the best way to go) > > Except that www.example.com, while reserved according to RFC 2606, > actually resolves to a host with a web server (running, interestingly, > Apache 2.2.3 from circa 2006), which gives you a page telling you about > RFC 2606. It appears to be run by the IANA. So it might be polite not to > use this, so as not to attack the IANA by mistake. > > Better would be the reserved TLDs from RFC 2606, which AFAIK should never > resolve at all: *.test, *.example, and *.invalid. Unfortunately, > "www.foo.example" is less obviously a host name compared to > "www.example.com". > > >- Some other place-holder that is not a valid domain such as <victim>, > >etc. > > That works too. > > -- Okay, agreed. Let us not abuse IANA's poor little Apache 2.2.3 server. So, to sum up, these guys are good for exploit/PoC examples: 1. Place-holder such as <victim>. 2. Reserved TLDs from RFC 2606 such as *.test, *.example, and *.invalid. -- Dave McKinney Symantec keyID: E461AE4E key fingerprint = F1FC 9073 09FA F0C7 500D D7EB E985 FAF3 E461 AE4E
Powered by blists - more mailing lists