WebApp Sec: Re: http://www.domainname.com./ (with the ending)

[exon <exon () home se>]

Fun issue. It seems to come back to haunt all the sec-lists once every 
six months.
This is the intended DNS lookup behaviour, and FQDN's NOT ending in a 
dot gets one appended before the request is sent to the DNS. Read the 
relevant RFC if you're curious about details.
/exon

Scovetta, Michael V wrote:
> All--
>
> I don't think this is anything to be concerned about, but I find it
> odd that some websites (looks like IIS-sites), if you go to
> http://server./ (with a period appended), you usually get a "no web
> site configured", or "under construction". I guess the browser
> ignores the last . and finds the name in DNS, but then puts the . in
> the Host header. It looks like Apache ignores the . in the host
> header, so you go wind up seeing http://server/'s content even though
> the URL says http://server./
>
> For instance: http://www.google.com./ 		Normal Google page 
> http://www.easyasphosting.com./	400 - bad request 
> http://www.iviewstudio.com./		404 - File Not Found (or "No web site
> is configured at this address")
>
> I'd assume that if you have multiple hosts configured, then the .
> throws it off.
>
> It also looks like Firefox and IE both handle it the same way.
>
> Sorry if this is a re-post-- I've never heard of this before, it just
> struck me as odd, and thought I should throw it out there.
>
>
> Regards,
>
> Michael Scovetta Computer Associates Senior Application Developer