BugTraq
Administrivia: Real domain names in PoC/exploit examples May 28 2010 02:29PM
dm securityfocus com (1 replies)
Re: Administrivia: Real domain names in PoC/exploit examples May 28 2010 03:38PM
Nate Eldredge (nate thatsmathematics com) (1 replies)
On Fri, 28 May 2010, dm (at) securityfocus (dot) com [email concealed] wrote:

> And this is the sort of thing that would be appropriate:
> - www.example.com (this is really the best way to go)

Except that www.example.com, while reserved according to RFC 2606,
actually resolves to a host with a web server (running, interestingly,
Apache 2.2.3 from circa 2006), which gives you a page telling you about
RFC 2606. It appears to be run by the IANA. So it might be polite not to
use this, so as not to attack the IANA by mistake.

Better would be the reserved TLDs from RFC 2606, which AFAIK should never
resolve at all: *.test, *.example, and *.invalid. Unfortunately,
"www.foo.example" is less obviously a host name compared to "www.example.com".

> - Some other place-holder that is not a valid domain such as <victim>,
> etc.

That works too.

--

Nate Eldredge
nate (at) thatsmathematics (dot) com [email concealed]

[ reply ]
Re: Administrivia: Real domain names in PoC/exploit examples May 28 2010 04:10PM
dm securityfocus com


 

Privacy Statement
Copyright 2010, SecurityFocus