[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

Munir Njiru munir.njiru at owasp.org
Tue Feb 16 07:26:01 UTC 2016


Hi Johanna,
Seeing again no revalidation is done , an attacker in my view would also
look for insecure direct object references hence accessing assets they
shouldn't .

Munir Njenga,
OWASP Chapter Leader (Kenya) || Information Security Consultant || Developer
Mob   (KE) +254 (0) 734960670

=============================
Chapter Page: www.owasp.org/index.php/Kenya
Project Site:
http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
Email: munir.njiru at owasp.org
Facebook: https://www.facebook.com/OWASP.Kenya
Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya


On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Forgot to mention, other vulnerabilities than session fixation
>
> The situation is the following:
>
>
>    - A system admin has configured multiple subdomains under 1 server
>    - A reverse proxy redirects to subdomains
>    - However, session ids are not properly validated as userA can request
>    on subdomain_A a and use the same session id if he browses to subdomainB
>    (the server/applicatiopn does not revalidate a new session again)
>    - After temp[eraing with header requests such as Referer and Host, I'm
>    able to show inn the URL I'm in subdomainB however I'm userA. Funny enough
>    the application shown is from SudomainA buit the URL is showing subdomainB
>
> Questions
>
>
>    - What are the possible attack vectors to bypass the authentication
>    (lets say impersonate and login into subdomainB application) other
>    than session fixation
>
>
>    - Are any other kind of risks associated with this vulnerability?
>
>
>    - When I tested this using burp, I got a message 'Cookie scoped to
>    parent domain'(which off course allowed me to trick the server with the
>    Referer/host request tampering
>
>
> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi leaders
>>
>> I have a question I was looking for some info to understand surface
>> attack but could not find a specific case or documentation regarding this
>>
>> The situation is the following:
>>
>>
>>    - A system admin has configured multiple subdomains under 1 server
>>    - A reverse proxy redirects to subdomains
>>    - However, session ids are not properly validated as userA can
>>    request on subdomain_A a and use the same session id if he browses to
>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>    - After temp[eraing with header requests such as Referer and Host,
>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>    enough the application shown is from SudomainA buit the URL is showing
>>    subdomainB
>>
>> Questions
>>
>>
>>    - What are the possible attack vectors to bypass the authentication
>>    (lets say impersonate and login into subdomainB application)
>>
>>
>>    - Are any other kind of risks associated with this vulnerability?
>>
>>
>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>    parent domain'(which off course allowed me to trick the server with the
>>    Referer/host request tampering)
>>
>> Cheers
>>
>> Johanna
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160216/f0ebe621/attachment-0001.html>


More information about the OWASP-Leaders mailing list