[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

Tom Brennan - OWASP tomb at owasp.org
Wed Feb 17 04:23:54 UTC 2016


Are you referring to what is happening with the OWASP subdomains.

Tom Brennan
Global Board of Directors
(d) 973-506-9304

OWASP Foundation | www.owasp.org

On Tue, Feb 16, 2016 at 4:03 AM, Ali Razmjoo <ali.razmjoo at owasp.org> wrote:

> Hello Johanna,
>
> I don't have much information, but like @Munir said, it could be use for
> insecure redirect and it's usable to phishing attacks,
> Seconds, it's you can access the original website, and sometimes it could
> be help us to bypassing firewall or wafs by that. [it could be useful if
> you feel server has a firewall which is blocking your request for testing a
> bug]
> 3rd, you may access to see restricted area, or internal servers/hosts by
> changing  your request, it's not easy to guess internal hosts or ip
> addresses, I don't see any software or scanner to do it for you. but it's
> not that hard if you have a live target and make a [python] script for
> this. you may test also some ports on target, you can bypass to access them
> [through http] to see there too.
>
> Regards.
>
>
>
> On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org>
> wrote:
>
>> Hi Johanna,
>> Seeing again no revalidation is done , an attacker in my view would also
>> look for insecure direct object references hence accessing assets they
>> shouldn't .
>>
>> Munir Njenga,
>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>> Developer
>> Mob   (KE) +254 (0) 734960670
>>
>> =============================
>> Chapter Page: www.owasp.org/index.php/Kenya
>> Project Site:
>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>> Email: munir.njiru at owasp.org
>> Facebook: https://www.facebook.com/OWASP.Kenya
>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>
>>
>> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Forgot to mention, other vulnerabilities than session fixation
>>>
>>> The situation is the following:
>>>
>>>
>>>    - A system admin has configured multiple subdomains under 1 server
>>>    - A reverse proxy redirects to subdomains
>>>    - However, session ids are not properly validated as userA can
>>>    request on subdomain_A a and use the same session id if he browses to
>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>    - After temp[eraing with header requests such as Referer and Host,
>>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>>    enough the application shown is from SudomainA buit the URL is showing
>>>    subdomainB
>>>
>>> Questions
>>>
>>>
>>>    - What are the possible attack vectors to bypass the authentication
>>>    (lets say impersonate and login into subdomainB application) other
>>>    than session fixation
>>>
>>>
>>>    - Are any other kind of risks associated with this vulnerability?
>>>
>>>
>>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>>    parent domain'(which off course allowed me to trick the server with the
>>>    Referer/host request tampering
>>>
>>>
>>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi leaders
>>>>
>>>> I have a question I was looking for some info to understand surface
>>>> attack but could not find a specific case or documentation regarding this
>>>>
>>>> The situation is the following:
>>>>
>>>>
>>>>    - A system admin has configured multiple subdomains under 1 server
>>>>    - A reverse proxy redirects to subdomains
>>>>    - However, session ids are not properly validated as userA can
>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>    - After temp[eraing with header requests such as Referer and Host,
>>>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>>>    enough the application shown is from SudomainA buit the URL is showing
>>>>    subdomainB
>>>>
>>>> Questions
>>>>
>>>>
>>>>    - What are the possible attack vectors to bypass the authentication
>>>>    (lets say impersonate and login into subdomainB application)
>>>>
>>>>
>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>
>>>>
>>>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>>>    parent domain'(which off course allowed me to trick the server with the
>>>>    Referer/host request tampering)
>>>>
>>>> Cheers
>>>>
>>>> Johanna
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-- 
The information contained in this message and any attachments may be 
privileged, confidential, proprietary or otherwise protected from 
disclosure. If you, the reader of this message, are not the intended 
recipient, you are hereby notified that any dissemination, distribution, 
copying or use of this message and any attachment is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by replying to the message, permanently delete it from your 
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160216/adfa765a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-02-16 at 11.21.53 PM.png
Type: image/png
Size: 834929 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160216/adfa765a/attachment-0001.png>


More information about the OWASP-Leaders mailing list