[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

johanna curiel curiel johanna.curiel at owasp.org
Wed Feb 17 04:32:19 UTC 2016


Not, is about System admins that create many subdomains but each subdomain
should have a proper level of access, and Set-Cookie is not properly setup
for each subdomain so you can 'hop' from one subdomain to another rising
the same cookie ;-)

I tested the Cybertool, quite nice for analysing domains. In my case the
sysadmin/web dev has been smart enough to set a proper robots file that
does not allow spidering , so I don't get a list of the existing subdomains
as the graphics you  sent. However I found something concerning regarding
one of servers which seems to be in a black list....

thanks for the tip, I'll tested further these days to find out more how it
works

Cheers

On Wed, Feb 17, 2016 at 12:23 AM, Tom Brennan - OWASP <tomb at owasp.org>
wrote:

> Are you referring to what is happening with the OWASP subdomains.
>
> Tom Brennan
> Global Board of Directors
> (d) 973-506-9304
>
> OWASP Foundation | www.owasp.org
>
> On Tue, Feb 16, 2016 at 4:03 AM, Ali Razmjoo <ali.razmjoo at owasp.org>
> wrote:
>
>> Hello Johanna,
>>
>> I don't have much information, but like @Munir said, it could be use for
>> insecure redirect and it's usable to phishing attacks,
>> Seconds, it's you can access the original website, and sometimes it could
>> be help us to bypassing firewall or wafs by that. [it could be useful if
>> you feel server has a firewall which is blocking your request for testing a
>> bug]
>> 3rd, you may access to see restricted area, or internal servers/hosts by
>> changing  your request, it's not easy to guess internal hosts or ip
>> addresses, I don't see any software or scanner to do it for you. but it's
>> not that hard if you have a live target and make a [python] script for
>> this. you may test also some ports on target, you can bypass to access them
>> [through http] to see there too.
>>
>> Regards.
>>
>>
>>
>> On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org>
>> wrote:
>>
>>> Hi Johanna,
>>> Seeing again no revalidation is done , an attacker in my view would also
>>> look for insecure direct object references hence accessing assets they
>>> shouldn't .
>>>
>>> Munir Njenga,
>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>> Developer
>>> Mob   (KE) +254 (0) 734960670
>>>
>>> =============================
>>> Chapter Page: www.owasp.org/index.php/Kenya
>>> Project Site:
>>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>>> Email: munir.njiru at owasp.org
>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>
>>>
>>> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Forgot to mention, other vulnerabilities than session fixation
>>>>
>>>> The situation is the following:
>>>>
>>>>
>>>>    - A system admin has configured multiple subdomains under 1 server
>>>>    - A reverse proxy redirects to subdomains
>>>>    - However, session ids are not properly validated as userA can
>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>    - After temp[eraing with header requests such as Referer and Host,
>>>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>>>    enough the application shown is from SudomainA buit the URL is showing
>>>>    subdomainB
>>>>
>>>> Questions
>>>>
>>>>
>>>>    - What are the possible attack vectors to bypass the authentication
>>>>    (lets say impersonate and login into subdomainB application) other
>>>>    than session fixation
>>>>
>>>>
>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>
>>>>
>>>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>>>    parent domain'(which off course allowed me to trick the server with the
>>>>    Referer/host request tampering
>>>>
>>>>
>>>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi leaders
>>>>>
>>>>> I have a question I was looking for some info to understand surface
>>>>> attack but could not find a specific case or documentation regarding this
>>>>>
>>>>> The situation is the following:
>>>>>
>>>>>
>>>>>    - A system admin has configured multiple subdomains under 1 server
>>>>>    - A reverse proxy redirects to subdomains
>>>>>    - However, session ids are not properly validated as userA can
>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>    - After temp[eraing with header requests such as Referer and Host,
>>>>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>>>>    enough the application shown is from SudomainA buit the URL is showing
>>>>>    subdomainB
>>>>>
>>>>> Questions
>>>>>
>>>>>
>>>>>    - What are the possible attack vectors to bypass the
>>>>>    authentication (lets say impersonate and login into subdomainB application)
>>>>>
>>>>>
>>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>>
>>>>>
>>>>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>>>>    parent domain'(which off course allowed me to trick the server with the
>>>>>    Referer/host request tampering)
>>>>>
>>>>> Cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160217/8a5e2463/attachment.html>


More information about the OWASP-Leaders mailing list