WebApp Sec mailing list archives
RE: http://www.domainname.com./ (with the ending)
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Wed, 13 Apr 2005 18:53:36 -0500
Michael Scovetta writes...
I don't think this is anything to be concerned about, but I find it odd that some websites (looks like IIS-sites), if you go to http://server./ (with a period appended), you usually get a "no web site configured", or "under construction". I guess the browser ignores the last . and finds the name in DNS, but then puts the . in the Host header. It looks like Apache ignores the . in the host header, so you go wind up seeing http://server/'s content even though the URL says http://server./ For instance: http://www.google.com./ Normal Google page http://www.easyasphosting.com./ 400 - bad request http://www.iviewstudio.com./ 404 - File Not Found (or "No web site is configured at this address") I'd assume that if you have multiple hosts configured, then the . throws it off.
Looks like you may have stumbled upon a new way (to me at least) to fingerprint web servers. Anyone know what RFC 2616 (HTTP 1.1 spec) says the behavior _should_ be for this (if it even mentions it at all). I gotta run and have no time to look it up now, but intuition says it should be ignored in the HOST header since its a valid DNS name. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall () qwest com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit
Current thread:
- http://www.domainname.com./ (with the ending) Scovetta, Michael V (Apr 13)
- Re: http://www.domainname.com./ (with the ending) exon (Apr 13)
- Re: http://www.domainname.com./ (with the ending) Robert Hajime Lanning (Apr 13)
- Re: http://www.domainname.com./ (with the ending) Mark Burnett (Apr 13)
- <Possible follow-ups>
- RE: http://www.domainname.com./ (with the ending) Wall, Kevin (Apr 13)