[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

johanna curiel curiel johanna.curiel at owasp.org
Tue Feb 16 04:42:57 UTC 2016


Forgot to mention, other vulnerabilities than session fixation

The situation is the following:


   - A system admin has configured multiple subdomains under 1 server
   - A reverse proxy redirects to subdomains
   - However, session ids are not properly validated as userA can request
   on subdomain_A a and use the same session id if he browses to subdomainB
   (the server/applicatiopn does not revalidate a new session again)
   - After temp[eraing with header requests such as Referer and Host, I'm
   able to show inn the URL I'm in subdomainB however I'm userA. Funny enough
   the application shown is from SudomainA buit the URL is showing subdomainB

Questions


   - What are the possible attack vectors to bypass the authentication
   (lets say impersonate and login into subdomainB application) other than
   session fixation


   - Are any other kind of risks associated with this vulnerability?


   - When I tested this using burp, I got a message 'Cookie scoped to
   parent domain'(which off course allowed me to trick the server with the
   Referer/host request tampering


On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi leaders
>
> I have a question I was looking for some info to understand surface attack
> but could not find a specific case or documentation regarding this
>
> The situation is the following:
>
>
>    - A system admin has configured multiple subdomains under 1 server
>    - A reverse proxy redirects to subdomains
>    - However, session ids are not properly validated as userA can request
>    on subdomain_A a and use the same session id if he browses to subdomainB
>    (the server/applicatiopn does not revalidate a new session again)
>    - After temp[eraing with header requests such as Referer and Host, I'm
>    able to show inn the URL I'm in subdomainB however I'm userA. Funny enough
>    the application shown is from SudomainA buit the URL is showing subdomainB
>
> Questions
>
>
>    - What are the possible attack vectors to bypass the authentication
>    (lets say impersonate and login into subdomainB application)
>
>
>    - Are any other kind of risks associated with this vulnerability?
>
>
>    - When I tested this using burp, I got a message 'Cookie scoped to
>    parent domain'(which off course allowed me to trick the server with the
>    Referer/host request tampering)
>
> Cheers
>
> Johanna
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160216/b731419f/attachment.html>


More information about the OWASP-Leaders mailing list