[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

Tom Brennan - OWASP tomb at owasp.org
Wed Feb 17 04:38:34 UTC 2016


Test these *cough*

Note ongoing ticket on why we have some of these active..

lists.owasp.org
owasp4.owasp.org
ocms.owasp.org
ml1lists.owasp.org
ads.owasp.org
es.owasp.org
phpsec.owasp.org
alt2.aspmx.l.owasp.org
aspmx3.owasp.org
aspmx5.owasp.org
aspmx.l.owasp.org
alt1.aspmx.l.owasp.org
aspmx2.owasp.org
aspmx4.owasp.org
dns1.owasp.org
dns2.owasp.org
wiki.owasp.org
stage.owasp.org
sl.owasp.org
my.owasp.org
mail.owasp.org
jobs.owasp.org
groups.owasp.org
docs.owasp.org
contact.owasp.org
connect.owasp.org
calendar.owasp.org
austin.owasp.org
mxb.owasp.org
mxa.owasp.org
d15006a.ess.owasp.org
d15006b.ess.owasp.org
gs.owasp.org
mx.owasp.org
ww.owasp.org
old.owasp.org
rna.owasp.org
zig.owasp.org
_caldavs._tcp.owasp.org
_autodiscover._tcp.owasp.org
_sipfederationtls._tcp.owasp.org
ads2.owasp.org
alex.owasp.org
beta.owasp.org
clan.owasp.org
hwww.owasp.org
lain.owasp.org
liss.owasp.org
vb.liss.owasp.org
blog.liss.owasp.org
chat.liss.owasp.org
mybb.liss.owasp.org
wiki.liss.owasp.org
board.liss.owasp.org
forum.liss.owasp.org
piwik.liss.owasp.org
boards.liss.owasp.org
webstats.liss.owasp.org
analytics.liss.owasp.org
phpmyadmin.liss.owasp.org
rear.owasp.org
some.owasp.org
soup.owasp.org
www2.owasp.org
vb.www2.owasp.org
chat.www2.owasp.org
mybb.www2.owasp.org
wiki.www2.owasp.org
board.www2.owasp.org
piwik.www2.owasp.org
stats.www2.owasp.org
boards.www2.owasp.org
dokuwiki.www2.owasp.org
webstats.www2.owasp.org
analytics.www2.owasp.org
phpmyadmin.www2.owasp.org
blogs.owasp.org
vb.blogs.owasp.org
blog.blogs.owasp.org
chat.blogs.owasp.org
mybb.blogs.owasp.org
wiki.blogs.owasp.org
board.blogs.owasp.org
forum.blogs.owasp.org
piwik.blogs.owasp.org
stats.blogs.owasp.org
forums.blogs.owasp.org
dokuwiki.blogs.owasp.org
webstats.blogs.owasp.org
analytics.blogs.owasp.org
phpmyadmin.blogs.owasp.org
cache.owasp.org
fable.owasp.org
forum.owasp.org
vb.forum.owasp.org
blog.forum.owasp.org
chat.forum.owasp.org
mybb.forum.owasp.org
wiki.forum.owasp.org
board.forum.owasp.org
forum.forum.owasp.org
piwik.forum.owasp.org
stats.forum.owasp.org
boards.forum.owasp.org
forums.forum.owasp.org
dokuwiki.forum.owasp.org
webstats.forum.owasp.org
analytics.forum.owasp.org
phpmyadmin.forum.owasp.org
frill.owasp.org
gourd.owasp.org
graft.owasp.org
hayes.owasp.org
htwww.owasp.org
lucky.owasp.org
wendy.owasp.org
behest.owasp.org
drudge.owasp.org
dugout.owasp.org
httwww.owasp.org
inhale.owasp.org
medium.owasp.org
method.owasp.org
mockup.owasp.org
www.owasp.orgwww.owasp.org
second.owasp.org
switch.owasp.org
troupe.owasp.org
www.owasp.org
cameron.owasp.org
clobber.owasp.org
httpwww.owasp.org
mailman.owasp.org
w ww.owasp.org
lessons.webgoat.owasp.org
webmail.owasp.org
wiki191.owasp.org
vb.wiki191.owasp.org
blog.wiki191.owasp.org
chat.wiki191.owasp.org
mybb.wiki191.owasp.org
wiki.wiki191.owasp.org
board.wiki191.owasp.org
forum.wiki191.owasp.org
piwik.wiki191.owasp.org
stats.wiki191.owasp.org
boards.wiki191.owasp.org
forums.wiki191.owasp.org
dokuwiki.wiki191.owasp.org
webstats.wiki191.owasp.org
analytics.wiki191.owasp.org
phpmyadmin.wiki191.owasp.org
willful.owasp.org
woodhen.owasp.org
ww w.owasp.org
www.owasp.org
defector.owasp.org
flourish.owasp.org
freakish.owasp.org
httpswww.owasp.org
intimate.owasp.org
isopleth.owasp.org
chromatin.owasp.org
downgrade.owasp.org
electoral.owasp.org
handwrite.owasp.org
influence.owasp.org
infusible.owasp.org
metabolic.owasp.org
solipsism.owasp.org
_adsp._domainkey.owasp.org
_policy._domainkey.owasp.org
autoconfig.owasp.org
cunningham.owasp.org
manservant.owasp.org
origin-www.owasp.org
picosecond.owasp.org
redemption.owasp.org
strawberry.owasp.org
%3cbr%3ewww.owasp.org
owasp%20www.owasp.org
partnerpage.owasp.org
update-wiki.owasp.org
w%3cbr%3eww.owasp.org
ww%3cbr%3ew.owasp.org
www%3cbr%3e.owasp.org
autodiscover.owasp.org
edonkeycenter.owasp.org
vb.edonkeycenter.owasp.org
blog.edonkeycenter.owasp.org
chat.edonkeycenter.owasp.org
mybb.edonkeycenter.owasp.org
wiki.edonkeycenter.owasp.org
board.edonkeycenter.owasp.org
forum.edonkeycenter.owasp.org
piwik.edonkeycenter.owasp.org
stats.edonkeycenter.owasp.org
boards.edonkeycenter.owasp.org
dokuwiki.edonkeycenter.owasp.org
webstats.edonkeycenter.owasp.org
analytics.edonkeycenter.owasp.org
phpmyadmin.edonkeycenter.owasp.org
ns1.owasp.org
ns2.owasp.org
pdns01.owasp.org
pdns02.owasp.org
kerala.owasp.org

Anyone who wants to play with a new DNS tool I am working on hit me up off
list.

Tom Brennan
Global Board of Directors
NYC/NJ Metro Chapter Leader
(d) 973-506-9304

OWASP Foundation | www.owasp.org

On Tue, Feb 16, 2016 at 11:32 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Not, is about System admins that create many subdomains but each subdomain
> should have a proper level of access, and Set-Cookie is not properly setup
> for each subdomain so you can 'hop' from one subdomain to another rising
> the same cookie ;-)
>
> I tested the Cybertool, quite nice for analysing domains. In my case the
> sysadmin/web dev has been smart enough to set a proper robots file that
> does not allow spidering , so I don't get a list of the existing subdomains
> as the graphics you  sent. However I found something concerning regarding
> one of servers which seems to be in a black list....
>
> thanks for the tip, I'll tested further these days to find out more how it
> works
>
> Cheers
>
> On Wed, Feb 17, 2016 at 12:23 AM, Tom Brennan - OWASP <tomb at owasp.org>
> wrote:
>
>> Are you referring to what is happening with the OWASP subdomains.
>>
>> Tom Brennan
>> Global Board of Directors
>> (d) 973-506-9304
>>
>> OWASP Foundation | www.owasp.org
>>
>> On Tue, Feb 16, 2016 at 4:03 AM, Ali Razmjoo <ali.razmjoo at owasp.org>
>> wrote:
>>
>>> Hello Johanna,
>>>
>>> I don't have much information, but like @Munir said, it could be use for
>>> insecure redirect and it's usable to phishing attacks,
>>> Seconds, it's you can access the original website, and sometimes it
>>> could be help us to bypassing firewall or wafs by that. [it could be useful
>>> if you feel server has a firewall which is blocking your request for
>>> testing a bug]
>>> 3rd, you may access to see restricted area, or internal servers/hosts by
>>> changing  your request, it's not easy to guess internal hosts or ip
>>> addresses, I don't see any software or scanner to do it for you. but it's
>>> not that hard if you have a live target and make a [python] script for
>>> this. you may test also some ports on target, you can bypass to access them
>>> [through http] to see there too.
>>>
>>> Regards.
>>>
>>>
>>>
>>> On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org>
>>> wrote:
>>>
>>>> Hi Johanna,
>>>> Seeing again no revalidation is done , an attacker in my view would
>>>> also look for insecure direct object references hence accessing assets they
>>>> shouldn't .
>>>>
>>>> Munir Njenga,
>>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>>> Developer
>>>> Mob   (KE) +254 (0) 734960670
>>>>
>>>> =============================
>>>> Chapter Page: www.owasp.org/index.php/Kenya
>>>> Project Site:
>>>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>>>> Email: munir.njiru at owasp.org
>>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>>
>>>>
>>>> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Forgot to mention, other vulnerabilities than session fixation
>>>>>
>>>>> The situation is the following:
>>>>>
>>>>>
>>>>>    - A system admin has configured multiple subdomains under 1 server
>>>>>    - A reverse proxy redirects to subdomains
>>>>>    - However, session ids are not properly validated as userA can
>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>    - After temp[eraing with header requests such as Referer and Host,
>>>>>    I'm able to show inn the URL I'm in subdomainB however I'm userA. Funny
>>>>>    enough the application shown is from SudomainA buit the URL is showing
>>>>>    subdomainB
>>>>>
>>>>> Questions
>>>>>
>>>>>
>>>>>    - What are the possible attack vectors to bypass the
>>>>>    authentication (lets say impersonate and login into subdomainB application) other
>>>>>    than session fixation
>>>>>
>>>>>
>>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>>
>>>>>
>>>>>    - When I tested this using burp, I got a message 'Cookie scoped to
>>>>>    parent domain'(which off course allowed me to trick the server with the
>>>>>    Referer/host request tampering
>>>>>
>>>>>
>>>>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> Hi leaders
>>>>>>
>>>>>> I have a question I was looking for some info to understand surface
>>>>>> attack but could not find a specific case or documentation regarding this
>>>>>>
>>>>>> The situation is the following:
>>>>>>
>>>>>>
>>>>>>    - A system admin has configured multiple subdomains under 1 server
>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>    showing subdomainB
>>>>>>
>>>>>> Questions
>>>>>>
>>>>>>
>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>    authentication (lets say impersonate and login into subdomainB application)
>>>>>>
>>>>>>
>>>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>>>
>>>>>>
>>>>>>    - When I tested this using burp, I got a message 'Cookie scoped
>>>>>>    to parent domain'(which off course allowed me to trick the server with the
>>>>>>    Referer/host request tampering)
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
>>
>
>

-- 
The information contained in this message and any attachments may be 
privileged, confidential, proprietary or otherwise protected from 
disclosure. If you, the reader of this message, are not the intended 
recipient, you are hereby notified that any dissemination, distribution, 
copying or use of this message and any attachment is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by replying to the message, permanently delete it from your 
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160216/b639863c/attachment-0001.html>


More information about the OWASP-Leaders mailing list