CWE-247: DEPRECATED: Reliance on DNS Lookups in a Security Decision
Learn about CWE-247 (DEPRECATED: Reliance on DNS Lookups in a Security Decision), its security impact, exploitation methods, and prevention guidelines.
What is DEPRECATED: Reliance on DNS Lookups in a Security Decision?
• Overview: Reliance on DNS Lookups in a Security Decision is when a program incorrectly uses Domain Name System (DNS) information to make security-related decisions, such as authentication or access control, which can lead to vulnerabilities.
• Exploitation Methods:
- Attackers can manipulate DNS responses to redirect traffic to malicious servers.
- Techniques include DNS spoofing or cache poisoning to trick the application into trusting incorrect information.
• Security Impact:
- Direct consequences include unauthorized access or data interception.
- Potential cascading effects involve further compromise of network integrity and data confidentiality.
- Business impact includes loss of customer trust, data breaches, and potential legal repercussions.
• Prevention Guidelines:
- Avoid using DNS information for security-critical decisions; use more reliable sources such as certificates.
- Implement DNSSEC (Domain Name System Security Extensions) to ensure DNS data integrity and authenticity.
- Recommended tools and frameworks include libraries that support DNSSEC and other secure DNS lookup methods.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified