[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

johanna curiel curiel johanna.curiel at owasp.org
Wed Feb 17 04:43:23 UTC 2016


Brraaaaw....
That also needs some serious clean up

On Wed, Feb 17, 2016 at 12:38 AM, Tom Brennan - OWASP <tomb at owasp.org>
wrote:

> Test these *cough*
>
> Note ongoing ticket on why we have some of these active..
>
> lists.owasp.org
> owasp4.owasp.org
> ocms.owasp.org
> ml1lists.owasp.org
> ads.owasp.org
> es.owasp.org
> phpsec.owasp.org
> alt2.aspmx.l.owasp.org
> aspmx3.owasp.org
> aspmx5.owasp.org
> aspmx.l.owasp.org
> alt1.aspmx.l.owasp.org
> aspmx2.owasp.org
> aspmx4.owasp.org
> dns1.owasp.org
> dns2.owasp.org
> wiki.owasp.org
> stage.owasp.org
> sl.owasp.org
> my.owasp.org
> mail.owasp.org
> jobs.owasp.org
> groups.owasp.org
> docs.owasp.org
> contact.owasp.org
> connect.owasp.org
> calendar.owasp.org
> austin.owasp.org
> mxb.owasp.org
> mxa.owasp.org
> d15006a.ess.owasp.org
> d15006b.ess.owasp.org
> gs.owasp.org
> mx.owasp.org
> ww.owasp.org
> old.owasp.org
> rna.owasp.org
> zig.owasp.org
> _caldavs._tcp.owasp.org
> _autodiscover._tcp.owasp.org
> _sipfederationtls._tcp.owasp.org
> ads2.owasp.org
> alex.owasp.org
> beta.owasp.org
> clan.owasp.org
> hwww.owasp.org
> lain.owasp.org
> liss.owasp.org
> vb.liss.owasp.org
> blog.liss.owasp.org
> chat.liss.owasp.org
> mybb.liss.owasp.org
> wiki.liss.owasp.org
> board.liss.owasp.org
> forum.liss.owasp.org
> piwik.liss.owasp.org
> boards.liss.owasp.org
> webstats.liss.owasp.org
> analytics.liss.owasp.org
> phpmyadmin.liss.owasp.org
> rear.owasp.org
> some.owasp.org
> soup.owasp.org
> www2.owasp.org
> vb.www2.owasp.org
> chat.www2.owasp.org
> mybb.www2.owasp.org
> wiki.www2.owasp.org
> board.www2.owasp.org
> piwik.www2.owasp.org
> stats.www2.owasp.org
> boards.www2.owasp.org
> dokuwiki.www2.owasp.org
> webstats.www2.owasp.org
> analytics.www2.owasp.org
> phpmyadmin.www2.owasp.org
> blogs.owasp.org
> vb.blogs.owasp.org
> blog.blogs.owasp.org
> chat.blogs.owasp.org
> mybb.blogs.owasp.org
> wiki.blogs.owasp.org
> board.blogs.owasp.org
> forum.blogs.owasp.org
> piwik.blogs.owasp.org
> stats.blogs.owasp.org
> forums.blogs.owasp.org
> dokuwiki.blogs.owasp.org
> webstats.blogs.owasp.org
> analytics.blogs.owasp.org
> phpmyadmin.blogs.owasp.org
> cache.owasp.org
> fable.owasp.org
> forum.owasp.org
> vb.forum.owasp.org
> blog.forum.owasp.org
> chat.forum.owasp.org
> mybb.forum.owasp.org
> wiki.forum.owasp.org
> board.forum.owasp.org
> forum.forum.owasp.org
> piwik.forum.owasp.org
> stats.forum.owasp.org
> boards.forum.owasp.org
> forums.forum.owasp.org
> dokuwiki.forum.owasp.org
> webstats.forum.owasp.org
> analytics.forum.owasp.org
> phpmyadmin.forum.owasp.org
> frill.owasp.org
> gourd.owasp.org
> graft.owasp.org
> hayes.owasp.org
> htwww.owasp.org
> lucky.owasp.org
> wendy.owasp.org
> behest.owasp.org
> drudge.owasp.org
> dugout.owasp.org
> httwww.owasp.org
> inhale.owasp.org
> medium.owasp.org
> method.owasp.org
> mockup.owasp.org
> www.owasp.orgwww.owasp.org
> second.owasp.org
> switch.owasp.org
> troupe.owasp.org
> www.owasp.org
> cameron.owasp.org
> clobber.owasp.org
> httpwww.owasp.org
> mailman.owasp.org
> w ww.owasp.org
> lessons.webgoat.owasp.org
> webmail.owasp.org
> wiki191.owasp.org
> vb.wiki191.owasp.org
> blog.wiki191.owasp.org
> chat.wiki191.owasp.org
> mybb.wiki191.owasp.org
> wiki.wiki191.owasp.org
> board.wiki191.owasp.org
> forum.wiki191.owasp.org
> piwik.wiki191.owasp.org
> stats.wiki191.owasp.org
> boards.wiki191.owasp.org
> forums.wiki191.owasp.org
> dokuwiki.wiki191.owasp.org
> webstats.wiki191.owasp.org
> analytics.wiki191.owasp.org
> phpmyadmin.wiki191.owasp.org
> willful.owasp.org
> woodhen.owasp.org
> ww w.owasp.org
> www.owasp.org
> defector.owasp.org
> flourish.owasp.org
> freakish.owasp.org
> httpswww.owasp.org
> intimate.owasp.org
> isopleth.owasp.org
> chromatin.owasp.org
> downgrade.owasp.org
> electoral.owasp.org
> handwrite.owasp.org
> influence.owasp.org
> infusible.owasp.org
> metabolic.owasp.org
> solipsism.owasp.org
> _adsp._domainkey.owasp.org
> _policy._domainkey.owasp.org
> autoconfig.owasp.org
> cunningham.owasp.org
> manservant.owasp.org
> origin-www.owasp.org
> picosecond.owasp.org
> redemption.owasp.org
> strawberry.owasp.org
> %3cbr%3ewww.owasp.org
> owasp%20www.owasp.org
> partnerpage.owasp.org
> update-wiki.owasp.org
> w%3cbr%3eww.owasp.org
> ww%3cbr%3ew.owasp.org
> www%3cbr%3e.owasp.org
> autodiscover.owasp.org
> edonkeycenter.owasp.org
> vb.edonkeycenter.owasp.org
> blog.edonkeycenter.owasp.org
> chat.edonkeycenter.owasp.org
> mybb.edonkeycenter.owasp.org
> wiki.edonkeycenter.owasp.org
> board.edonkeycenter.owasp.org
> forum.edonkeycenter.owasp.org
> piwik.edonkeycenter.owasp.org
> stats.edonkeycenter.owasp.org
> boards.edonkeycenter.owasp.org
> dokuwiki.edonkeycenter.owasp.org
> webstats.edonkeycenter.owasp.org
> analytics.edonkeycenter.owasp.org
> phpmyadmin.edonkeycenter.owasp.org
> ns1.owasp.org
> ns2.owasp.org
> pdns01.owasp.org
> pdns02.owasp.org
> kerala.owasp.org
>
> Anyone who wants to play with a new DNS tool I am working on hit me up off
> list.
>
> Tom Brennan
> Global Board of Directors
> NYC/NJ Metro Chapter Leader
> (d) 973-506-9304
>
> OWASP Foundation | www.owasp.org
>
> On Tue, Feb 16, 2016 at 11:32 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Not, is about System admins that create many subdomains but each
>> subdomain should have a proper level of access, and Set-Cookie is not
>> properly setup for each subdomain so you can 'hop' from one subdomain to
>> another rising the same cookie ;-)
>>
>> I tested the Cybertool, quite nice for analysing domains. In my case the
>> sysadmin/web dev has been smart enough to set a proper robots file that
>> does not allow spidering , so I don't get a list of the existing subdomains
>> as the graphics you  sent. However I found something concerning regarding
>> one of servers which seems to be in a black list....
>>
>> thanks for the tip, I'll tested further these days to find out more how
>> it works
>>
>> Cheers
>>
>> On Wed, Feb 17, 2016 at 12:23 AM, Tom Brennan - OWASP <tomb at owasp.org>
>> wrote:
>>
>>> Are you referring to what is happening with the OWASP subdomains.
>>>
>>> Tom Brennan
>>> Global Board of Directors
>>> (d) 973-506-9304
>>>
>>> OWASP Foundation | www.owasp.org
>>>
>>> On Tue, Feb 16, 2016 at 4:03 AM, Ali Razmjoo <ali.razmjoo at owasp.org>
>>> wrote:
>>>
>>>> Hello Johanna,
>>>>
>>>> I don't have much information, but like @Munir said, it could be use
>>>> for insecure redirect and it's usable to phishing attacks,
>>>> Seconds, it's you can access the original website, and sometimes it
>>>> could be help us to bypassing firewall or wafs by that. [it could be useful
>>>> if you feel server has a firewall which is blocking your request for
>>>> testing a bug]
>>>> 3rd, you may access to see restricted area, or internal servers/hosts
>>>> by changing  your request, it's not easy to guess internal hosts or ip
>>>> addresses, I don't see any software or scanner to do it for you. but it's
>>>> not that hard if you have a live target and make a [python] script for
>>>> this. you may test also some ports on target, you can bypass to access them
>>>> [through http] to see there too.
>>>>
>>>> Regards.
>>>>
>>>>
>>>>
>>>> On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org>
>>>> wrote:
>>>>
>>>>> Hi Johanna,
>>>>> Seeing again no revalidation is done , an attacker in my view would
>>>>> also look for insecure direct object references hence accessing assets they
>>>>> shouldn't .
>>>>>
>>>>> Munir Njenga,
>>>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>>>> Developer
>>>>> Mob   (KE) +254 (0) 734960670
>>>>>
>>>>> =============================
>>>>> Chapter Page: www.owasp.org/index.php/Kenya
>>>>> Project Site:
>>>>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>>>>> Email: munir.njiru at owasp.org
>>>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>>>
>>>>>
>>>>> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> Forgot to mention, other vulnerabilities than session fixation
>>>>>>
>>>>>> The situation is the following:
>>>>>>
>>>>>>
>>>>>>    - A system admin has configured multiple subdomains under 1 server
>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>    showing subdomainB
>>>>>>
>>>>>> Questions
>>>>>>
>>>>>>
>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>    authentication (lets say impersonate and login into subdomainB application) other
>>>>>>    than session fixation
>>>>>>
>>>>>>
>>>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>>>
>>>>>>
>>>>>>    - When I tested this using burp, I got a message 'Cookie scoped
>>>>>>    to parent domain'(which off course allowed me to trick the server with the
>>>>>>    Referer/host request tampering
>>>>>>
>>>>>>
>>>>>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Hi leaders
>>>>>>>
>>>>>>> I have a question I was looking for some info to understand surface
>>>>>>> attack but could not find a specific case or documentation regarding this
>>>>>>>
>>>>>>> The situation is the following:
>>>>>>>
>>>>>>>
>>>>>>>    - A system admin has configured multiple subdomains under 1
>>>>>>>    server
>>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>>    showing subdomainB
>>>>>>>
>>>>>>> Questions
>>>>>>>
>>>>>>>
>>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>>    authentication (lets say impersonate and login into subdomainB application)
>>>>>>>
>>>>>>>
>>>>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>>>>
>>>>>>>
>>>>>>>    - When I tested this using burp, I got a message 'Cookie scoped
>>>>>>>    to parent domain'(which off course allowed me to trick the server with the
>>>>>>>    Referer/host request tampering)
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> The information contained in this message and any attachments may be
>>> privileged, confidential, proprietary or otherwise protected from
>>> disclosure. If you, the reader of this message, are not the intended
>>> recipient, you are hereby notified that any dissemination, distribution,
>>> copying or use of this message and any attachment is strictly prohibited.
>>> If you have received this message in error, please notify the sender
>>> immediately by replying to the message, permanently delete it from your
>>> computer and destroy any printout.
>>>
>>
>>
>
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160217/14d60ef8/attachment-0001.html>


More information about the OWASP-Leaders mailing list