[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

Ali Razmjoo ali.razmjoo at owasp.org
Tue Feb 16 09:03:06 UTC 2016


Hello Johanna,

I don't have much information, but like @Munir said, it could be use for
insecure redirect and it's usable to phishing attacks,
Seconds, it's you can access the original website, and sometimes it could
be help us to bypassing firewall or wafs by that. [it could be useful if
you feel server has a firewall which is blocking your request for testing a
bug]
3rd, you may access to see restricted area, or internal servers/hosts by
changing  your request, it's not easy to guess internal hosts or ip
addresses, I don't see any software or scanner to do it for you. but it's
not that hard if you have a live target and make a [python] script for
this. you may test also some ports on target, you can bypass to access them
[through http] to see there too.

Regards.



On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org> wrote:

> Hi Johanna,
> Seeing again no revalidation is done , an attacker in my view would also
> look for insecure direct object references hence accessing assets they
> shouldn't .
>
> Munir Njenga,
> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
> Developer
> Mob   (KE) +254 (0) 734960670
>
> =============================
> Chapter Page: www.owasp.org/index.php/Kenya
> Project Site:
> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
> Email: munir.njiru at owasp.org
> Facebook: https://www.facebook.com/OWASP.Kenya
> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>
>
> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Forgot to mention, other vulnerabilities than session fixation
>>
>> The situation is the following:
>>
>>
>>    - A system admin has configured multiple subdomains under 1 server
>>    - A reverse proxy redirects to subdomains
>>    - However, session ids are not properly validated as userA can
>>    request on subdomain_A a and use the same session id if he browses to
>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>    - After temp[eraing with header requests such as Referer and Host,
>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>    enough the application shown is from SudomainA buit the URL is showing
>>    subdomainB
>>
>> Questions
>>
>>
>>    - What are the possible attack vectors to bypass the authentication
>>    (lets say impersonate and login into subdomainB application) other
>>    than session fixation
>>
>>
>>    - Are any other kind of risks associated with this vulnerability?
>>
>>
>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>    parent domain'(which off course allowed me to trick the server with the
>>    Referer/host request tampering
>>
>>
>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi leaders
>>>
>>> I have a question I was looking for some info to understand surface
>>> attack but could not find a specific case or documentation regarding this
>>>
>>> The situation is the following:
>>>
>>>
>>>    - A system admin has configured multiple subdomains under 1 server
>>>    - A reverse proxy redirects to subdomains
>>>    - However, session ids are not properly validated as userA can
>>>    request on subdomain_A a and use the same session id if he browses to
>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>    - After temp[eraing with header requests such as Referer and Host,
>>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>>    enough the application shown is from SudomainA buit the URL is showing
>>>    subdomainB
>>>
>>> Questions
>>>
>>>
>>>    - What are the possible attack vectors to bypass the authentication
>>>    (lets say impersonate and login into subdomainB application)
>>>
>>>
>>>    - Are any other kind of risks associated with this vulnerability?
>>>
>>>
>>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>>    parent domain'(which off course allowed me to trick the server with the
>>>    Referer/host request tampering)
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160216/bc7e2bc4/attachment.html>


More information about the OWASP-Leaders mailing list