TH17114
Detected presence of files containing URLs that use trusted domains as subdomains.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | None |
About the issueโ
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. Attackers often try to trick users into visiting a malicious domain. Users are more likely to click the links they deem to be trustworthy. To appear trustworthy attackers may craft URLs that use well-known and trusted domains as subdomains. Subdomains appear first in the browser address bar. Combined with other URL obfuscation techniques, this approach may mislead the users into visiting an attacker-controlled domain. While presence of trusted domains as subdomains does not imply malicious intent, all instances of this issue should be reviewed for spelling mistakes and typos. An attacker could be controlling the domains the application intends to connect to.
How to resolve the issueโ
- Investigate reported detections.
- If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
- You should delay the software release until the investigation is completed, or until the issue is risk accepted.
- Remove all references to flagged network locations.
Recommended readingโ
- Typosquatting (ReversingLabs glossary)
- Catching deceptive links before the phish (ReversingLabs blog)