|
|
|
|
|
|
by LinuxBender
1100 days ago
|
|
|
I've debated that reasoning in the security field and it just goes round-and-round in circles. There are legit cases to avoid this but less about security and more about scanning tools that poorly detect attempts to the loop-back as DNS rebinding attacks vs. an actual DNS rebinding attack which requires malicious code. So avoiding this can avoid some false positives from 3rd party scanners and having to get into silly arguments with people. There are some other obscure edge cases but they delve more into hypothetical scenarios and people can never seem to show a real world implementation of their theoretical attack. Besides, there is nothing stopping anyone from pointing any domain to 127.0.0.1 on their recursive servers or via /etc/hosts so if this is a risk then somebody is doing something very wrong. Funny story though, I used to park wildcard sub-domains on 127.0.0.1 just to keep the bots off the load balancers and a customer said that we were running a vulnerable version of PHP. I said we had no installations of PHP anywhere in production. Turned out they were scanning one of my parked wildcard sub-domains and effectively were scanning their own laptop which had some old PHP web app running on it. That also told me they were also not validating certs. |
|
|
that sounds like a good practice -- why is this not done more often I wonder.
EDIT: on a second thought i am not so sure. I am not an expert here so I will not try to guess :)