HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Subdomains With Hyphens

I’ve been running a lightweight web crawler for a while just to look for interesting things. Recently I’ve noticed several web sites with hyphens at the beginning or end (or both) of their subdomain names/labels. The first time I saw it, I chalked it up to a link error, but after noticing it a few times it warranted investigation.

 

Here’s an example with both: http://-brainfreeze-.blogspot.com/

 

Obviously Blogspot allows that, but I got to wondering if that’s technically legitimate, and if so, what software accepts or barfs on it? So let’s look at the mess of RFCs that I found… RFC-608, RFC-592, RFC-1033, RFC-1034, RFC-1132, RFC-1738 and RFC-1912 all throw their hands into the host/domain name cookie jar (did I miss any?).

 

RFC-1912, which seems to be the latest, says (emphasis mine):


Allowable characters in a label for a host name are only ASCII letters, digits, and the `-' character. Labels may not be all numbers, but may have a leading digit (e.g., 3com.com). Labels must end and begin only with a letter or digit.

 

So… my interpretation is that that “-brainfreeze-“ and others are in violation of this RFC. But we all know how this really works—it only matters what the browsers support—so what do they do?

 

Not surprisingly, IE, Firefox (Mac & Windows), Safari (Mac) and Opera (Mac) all open the web site without a problem. Safari on the iPhone, however, fails with the error “Safari can't open the page because it can't find the server.”


 


So that leads us outside the browser…

 

Some quick mail tests show Outlook, Thunderbird and Gmail all will accept them in a “To” field. Apache seems to have no issues with them, either.

 

Plesk, a popular web server management package, disallows them, saying the subdomain field has an “improper value.”

 

For programming languages, PERL’s LWP module won’t load them (“bad hostname”), and Ruby’s Hpricot library won’t either (“the scheme http does not accept registry part”).  PHP with include/require fails (“php_network_getaddresses: getaddrinfo failed: Name or service not known”). Python’s urllib2 also spits up on it (“IOError: (-2, 'Name or service not known')”).


 


However, these errors may not be in any particular language or program, but based on underlying name resolution issues. It’s important to note that nslookup on Windows, and nslookup/dig on OS X and CentOS 5.2 don’t have any problems with these names (on the same hosts those languages were tried on).  I’ll try to look at the resolution libraries soon for some of those and post a follow-up.

 For web sites, Archive.org's Wayback Machine gives a vague error if you try to look up our friend "-brainfreeze-" (it differs from a nonexistent host), but Google's cache of it works. Tinyurl doesn't have any issues either. 

So is this a security issue? Probably not directly—but it may be a problem using tools against names that fit this pattern. What happens if your proxy or filter fails to parse the name, what tools rely on a “broken” ping or name lookup before they do something, what tools use urllib2 or LWP under the hood, and what hostname parsing routines will simply say they are invalid and return an error? Any one of those “minor” issues could cause a compliance failure, if not a real security issue.

 

So to recap, what failed in testing?


-          PERL LWP


-          Ruby Hpricot


-          Python urllib2


-          PHP include/require


-          Plesk


-          Safari (iPhone)


-     The Wayback Machine

 

Find others? Post in the comments, and give http://–brainfreeze-.blogspot.com/ some love for being a good test site.

Labels: Firefox| IE| iPhone| Research

IE's Bookmarklet limits create privacy risk

Bookmarklets are awesome! They are similar to regular bookmarks, but instead of having a normal URL like http:// they use javascript :. This means when you click on the bookmarklet JavaScript code runs. Some common example's of bookmarklets include:




  • Take any word that was highlighted on a webpage and open a new window with the Wikipedia entry for that word


  • Strip all the HTML out of a webpage and only render the images


  • Submit the current URL to a bookmarking site like del.icio.us


The popular Firefox extension, GreaseMonkey is basically a collection of bookmarklets. You can read more about Bookmarklets and see examples on Wikipedia.


Since a bookmarklet is just a javascript : URL with some JavaScript code, it's size is limited by how long a URL can be. All the browsers differ on this limit, with most allowing several kilobytes. However, IE takes the unusual step of specifically crippling the size of a javascript : URL to 508 characters! This
makes it impossible to have complex bookmarklets without resorting to a trick. To load large bookmarklets in IE, the
bookmarklet has to bootstrap a larger JavaScript file by dynamically
creating a SCRIPT tag, and point the source attribute at a file containing the rest of the JavaScript for the bookmarklet. This means IE sends an HTTP request to fetch the rest of the script! This is
actually a privacy violation, because the HTTP request for the larger
JavaScript file will have an HTTP referer (sic) header with the URL of webpage the
person is invoking the bookmarklet on. Depending on the setup, it is possible that a user is telling the bookmarklet creator each and every time they use the bookmark, as well as what website they are using it on.



The bottom line is bookmarklets are a very cool and powerful feature. Any security enhancement gained by limiting their length is far outweighed by the privacy violation it creates.

 

Labels: Bookmark| IE| Privacy
Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation