Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5743

Allowing browsers to perform DNS prefetching is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure allowing browsers to perform DNS prefetching is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      JavaScript
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • OWASP:
      A3

      Description

      By default, web browsers perform DNS prefetching to reduce latency due to DNS resolutions required when an user clicks links from a website page.

      For instance on example.com the hyperlink below contains a cross-origin domain name that must be resolved to an IP address by the web browser:

      <a href="https://otherexample.com">go on our partner website</a>
      

      It can add significant latency during requests, especially if the page contains many links to cross-origin domains. DNS prefetch allows web browsers to perform DNS resolving in the background before the user clicks a link. This feature can cause privacy issues because DNS resolving from the user's computer is performed without his consent if he doesn't intent to go to the linked website.

      On a complex private webpage, a combination "of unique links/DNS resolutions" can indicate, to a eavesdropper for instance, that the user is visiting the private page.

      Ask Yourself Whether

      • Links to cross-origin domains could result in leakage of confidential information about the user's navigation/behavior of the website.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      Implement X-DNS-Prefetch-Control header with an off value but this could significantly degrade website performances.

      See

        Attachments

        1.
        JavaScript RSPEC-5746 Language-Specification Active Unassigned

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: