“Installing records of the type “localhost. IN A 127.0.0.1” into nameserver setups is a common and logical practice; nevertheless, administrators frequently inadvertently delete the trailing dot, generating an intriguing version of Cross-Site Scripting (XSS) I term Same-Site Scripting. The absence of a dot indicates that the record is incompletely qualified, and so requests of the type “localhost.example.com” are resolved. While this may appear to be innocent on the surface, it allows an attacker to circumvent the RFC2109 (HTTP State Management Mechanism) same-origin limitations and hence hijack state management data.”
Non-FQ localhost entries should be eliminated from nameserver setups for domain hosting websites that rely on HTTP state management.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.