Notice
On this site, we provide a simple online tool to test for some of the vulnerabilities. This test cannot detect all resolver misinterpretation vulnerabilities as the required queries cannot be triggered with javascript in all cases. To test for all vulnerabilities, you can download our test tool or conduct a manual test.
Download tool Manual testOnline Test
Tests running
The tests are currently executed. This process may take several minutes.
No results available: Sanity Check failed!
The sanity chech which ensures that both of our test servers are reachable failed. This is required for the test to work, otherwise the results are unusable:
- The attacker server was not reachable.
- The victim server was not reachable.
Overriding via zero-byte
Your resolver is vulnerable against the cnamezero zero injection payload!
This should be immidiately mitigated as it allows a very easy attack. If you cannot change the behaviour of the resolver you are currently using, you should consider switching to another resolver.
Your resolver is not vulnerable against the cnamezero zero injection payload.
We could not determine vulnerability against the cnamezero zero injection payload.
This test works feeding the resolver with the following records:
cnamedot.attacker.com. IN CNAME victim.com\000.attacker.com.
victim.com\000.attacker.com. IN A 6.6.6.6
When processing the victim.com\000.attacker.com name, the resolver might confuse it with the legitimate victim.com domain, thereby replacing the IP address for victim.com with the attacker's address (6.6.6.6).
Detailed results for different attack variants:
- Direct CNAME: {{results.tests["victim"].result == 'attacker' ? "vulnerable" : (results.tests["victim"].result == "victim" ? "not vulnerable" : "unclear result")}}.
- Deferred CNAME (1): {{results.tests["victim-deferred-1"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-1"].result == "victim" ? "not vulnerable" : "unclear result")}}.
- Deferred CNAME (2): {{results.tests["victim-deferred-2"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-2"].result == "victim" ? "not vulnerable" : "unclear result")}}.
- Direct A: This attack variant cannot be checked online, please download our tool or conduct a manual test.
Overriding via dot in label
Your resolver is vulnerable against the cnamedot zero injection payload.
This is not as critical as vulnerability against zero-byte injection, but you might still consider switching to another resolver.
Your resolver is not vulnerable against the cnamedot zero injection payload.
We could not determine vulnerability against the cnamedot zero injection payload.
This test work feeding the resolver with the following records:
cnamedot.attacker.com. IN CNAME www\.victim.com.
www\.victim.com. IN A 6.6.6.6
When processing the www\.victim.com name, the resolver might confuse it with the legitimate www.victim.com domain, thereby replacing the IP address for www.victim.com with the attacker's address (6.6.6.6).
Detailed results for different attack variants:
- Direct CNAME: {{results.tests["victim.dot"].result == 'attacker' ? "vulnerable" : (results.tests["victim.dot"].result == "victim" ? "not vulnerable" : "unclear result")}}.
- Deferred CNAME (1): {{results.tests["victim-deferred-1.dot"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-1.dot"].result == "victim" ? "not vulnerable" : "unclear result")}}.
- Deferred CNAME (2): {{results.tests["victim-deferred-2.dot"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-2.dot"].result == "victim" ? "not vulnerable" : "unclear result")}}.
- Direct A: This attack variant cannot be checked online, please download our tool or conduct a manual test.
Special character filtering
These tests will test if your resolver validates hostnames per RFC952. Other than domain names, which can contain arbitrary characters, hostnames are only allowed to contain the characters [0-9a-z-.]. To reduce the chance the an application which is unaware of this is attacked using a domain name containg an injection payloads, stub resolvers should thereby filtering such names.
The test domain containing a slash (
/) was not filtered by your resolver.
The test domain containing an at (
@) was not filtered by your resolver.
The test domain containing an XSS payload (
<img/src=''/onerror='alert("xss")'>) was not filtered by your resolver.
The test domain containing an SQLi payload (
a'OR''=''--) was not filtered by your resolver.
The test domain containing an ANSI escape sequence (
\027[31\;1\;4mHello\027[0m) was not filtered by your resolver.
Raw test results
In case you are interested you can look at th raw test result data here.
{{json(results)}}