|
|
|
If the domain from Table 5: URI Examples is “associate.hacker.com” and the TPS string is “company.com”, then the domain “hackercompany.com” will also match the TPS string and pass the security validation. For example, if the TPS string is “company.com” & the URLs are:
http://www.company.com - this URL is acceptable.
http://associate.company.com - this URL is acceptable.
http://www.hackercompany.com - this URL is acceptable.
In this case “hackercompany” also passes the security validation.
To avoid such security issues, the administrator must set the TPS string to “.company.com” (where there is a “dot” before “company”).
For example, if the TPS string is “.company.com” and the URLs are:
http://www.company.com - this URL is acceptable.
http://associate.company.com - this URL is acceptable.
http://www.hackercompany.com - this URL is not acceptable.
In this case “hackercompany” fails the security validation.
|
|
|