Quick Domain Spoof with cURL

Michael Mikhailidi -

can

In this case, you have a few ways:

  • Add an entry to your local hosts file to adjust name resolution.
  • Use cURL when you have no access to your system configuration.

The first option is obvious, so let's see how we could substitute domain names with cURL. My imaginary system has:

  • Public URLs are https://account.domain.com and https://shop.domain.com.
  • Both names resolved to the same load balancer
  • Backend nodes with IP 192.168.1.[5-9] map a public domain to an appropriate virtual host with different backend applications.
  • Backend nodes have virtual hosts matching the public URLs with different TLS configurations and backend applications.

You can send a live check request without accessing the public load balancer. With cURL, you can use the --resolve argument to alter name resolution and access the correct virtual host.


$ curl -vv --resolve account.domain.com:443:192.168.1.5 \ 
https://account.domain.com/home/

$ curl -vv --resolve shop.domain.com:443:192.168.1.7 \ 
https://shop.domain.com/cart/

Direct Server Check with

The commands above update the process DNS cache with the new name address mapping, simulating external access to the application. The format of the argument is host-name-to-spoof:target-port:target-ip-address.

To find more details on cURL connectivity refer to the utility manual page or run from the command line.

$ curl --help connection

Bonus tip on the same point. If you want to see security details for one of my imaginary systems, use the OpenSSL command with the argument -servername.

$ openssl s_client -connect 192.168.1.5 \
  -servername account.domain.com </dev/null
  
$ openssl s_client -connect 192.168.1.5 \
  -servername shop.domain.com </dev/null