[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

johanna curiel curiel johanna.curiel at owasp.org
Tue Feb 16 02:07:46 UTC 2016


Hi leaders

I have a question I was looking for some info to understand surface attack
but could not find a specific case or documentation regarding this

The situation is the following:


   - A system admin has configured multiple subdomains under 1 server
   - A reverse proxy redirects to subdomains
   - However, session ids are not properly validated as userA can request
   on subdomain_A a and use the same session id if he browses to subdomainB
   (the server/applicatiopn does not revalidate a new session again)
   - After temp[eraing with header requests such as Referer and Host, I'm
   able to show inn the URL I'm in subdomainB however I'm userA. Funny enough
   the application shown is from SudomainA buit the URL is showing subdomainB

Questions


   - What are the possible attack vectors to bypass the authentication
   (lets say impersonate and login into subdomainB application)


   - Are any other kind of risks associated with this vulnerability?


   - When I tested this using burp, I got a message 'Cookie scoped to
   parent domain'(which off course allowed me to trick the server with the
   Referer/host request tampering)

Cheers

Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160215/906e2226/attachment.html>


More information about the OWASP-Leaders mailing list