Reliance on DNS Lookups in a Security DecisionID: 247 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
Attackers can spoof DNS entries. Do not rely on DNS names for
security.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Implementation
- Architecture and Design
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identityBypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Perform proper forward and reverse DNS lookups to detect DNS spoofing. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-247 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code samples use a DNS lookup in order to decide
whether or not an inbound request is from a trusted host. If an attacker can
poison the DNS cache, they can gain trusted status. (Demonstrative Example Id DX-93)
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 15: Not Updating Easily." Page 231'. Published on 2010.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 24: Trusting Network Name Resolution." Page
361'. Published on 2010.
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 16, "DNS Spoofing", Page 1002.'. Published on 2006.