[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

Matt Tesauro matt.tesauro at owasp.org
Wed Feb 17 18:04:56 UTC 2016


Johanna,

Of the 119 resolving records (206 minus 187), my review shows 10 stale DNS
records.  That's 8.4% stale records for the resolving hostnames Tom
provided.  For the entire list of 206 hostnames, that's 4.8% stale DNS
records.

The following stale DNS records will be removed:
es.owasp.org has address 50.57.64.91
wiki.owasp.org has address 192.237.166.62
wiki.owasp.org has IPv6 address 2001:4801:7821:77:cd2c:d9de:ff10:170e
wiki.owasp.org mail is handled by 10 mxa.mailgun.org.
wiki.owasp.org mail is handled by 10 mxb.mailgun.org.
stage.owasp.org has address 50.56.28.235
jobs.owasp.org is an alias for owasp.org.
connect.owasp.org has address 50.56.28.235
update-wiki.owasp.org has address 67.207.155.190
update-wiki.owasp.org has IPv6 address 2001:4801:7823:76:cd2c:d9de:ff10:ba46

Consider the DNS cleaned up shortly.  As luck would have it, there's
currently a problem with Rack's Cloud DNS:
  "On 17 February 2016 at 09:15 CST, engineers became aware of an issue
affecting DNS updates. At this time customers may experience delays of up
to 30 minutes for DNS changes."
see https://status.rackspace.com/index/viewincidents?group=14

This is breaking the API and web interfaces to Rack's Cloud DNS.  As soon
as the Cloud DNS issue is resolved at Rack, I'll remove the 10 stale
entries assuming the support ticket I put in doesn't get handled first.

I'll now go find and close the ticket raised.

non-TLDR version:

$ calc 206 - 87
119
$ calc 10/119
~0.08403361344537815126
$ calc 10/206
~0.04854368932038834951
$ grep -v "not found" resolving-tom-b-host-list
lists.owasp.org has address 162.209.12.188
lists.owasp.org mail is handled by 10 d15006a.ess.barracudanetworks.com.
lists.owasp.org mail is handled by 20 d15006b.ess.barracudanetworks.com.
owasp4.owasp.org has address 198.101.154.205
ocms.owasp.org has address 198.101.154.205
es.owasp.org has address 50.57.64.91
phpsec.owasp.org has address 198.101.154.205
wiki.owasp.org has address 192.237.166.62
wiki.owasp.org has IPv6 address 2001:4801:7821:77:cd2c:d9de:ff10:170e
wiki.owasp.org mail is handled by 10 mxa.mailgun.org.
wiki.owasp.org mail is handled by 10 mxb.mailgun.org.
stage.owasp.org has address 50.56.28.235
sl.owasp.org is an alias for ghs.google.com.
ghs.google.com is an alias for ghs.l.google.com.
ghs.l.google.com has address 64.233.180.121
ghs.l.google.com has IPv6 address 2607:f8b0:4003:c12::79
my.owasp.org is an alias for myowasp.ning.com.
myowasp.ning.com has address 208.82.16.68
myowasp.ning.com mail is handled by 10 amx.ning.com.
mail.owasp.org is an alias for ghs.google.com.
ghs.google.com is an alias for ghs.l.google.com.
ghs.l.google.com has address 64.233.168.121
ghs.l.google.com has IPv6 address 2607:f8b0:4003:c0c::79
jobs.owasp.org is an alias for owasp.org.
owasp.org has address 104.130.192.89
owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
owasp.org mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org mail is handled by 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org mail is handled by 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org mail is handled by 10 ASPMX.L.GOOGLE.COM.
owasp.org mail is handled by 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org mail is handled by 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org mail is handled by 30 ASPMX4.GOOGLEMAIL.COM.
groups.owasp.org is an alias for ghs.google.com.
ghs.google.com is an alias for ghs.l.google.com.
ghs.l.google.com has address 64.233.168.121
ghs.l.google.com has IPv6 address 2607:f8b0:4003:c07::79
docs.owasp.org is an alias for ghs.google.com.
ghs.google.com is an alias for ghs.l.google.com.
ghs.l.google.com has address 108.177.9.121
ghs.l.google.com has IPv6 address 2607:f8b0:4003:c09::79
contact.owasp.org has address 198.101.154.205
connect.owasp.org has address 50.56.28.235
calendar.owasp.org is an alias for ghs.google.com.
ghs.google.com is an alias for ghs.l.google.com.
ghs.l.google.com has address 108.177.9.121
ghs.l.google.com has IPv6 address 2607:f8b0:4003:c13::79
austin.owasp.org is an alias for owasp.org.
owasp.org has address 104.130.192.89
owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
owasp.org mail is handled by 10 ASPMX.L.GOOGLE.COM.
owasp.org mail is handled by 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org mail is handled by 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org mail is handled by 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org mail is handled by 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org mail is handled by 30 ASPMX4.GOOGLEMAIL.COM.
www.owasp.org has address 104.130.192.89
www.owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
www.owasp.org has address 104.130.192.89
www.owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
origin-www.owasp.org has address 192.237.166.62
update-wiki.owasp.org has address 67.207.155.190
update-wiki.owasp.org has IPv6 address 2001:4801:7823:76:cd2c:d9de:ff10:ba46
kerala.owasp.org is an alias for home-owaspkerala.rhcloud.com.
home-owaspkerala.rhcloud.com is an alias for ex-std-node551.prod.rhcloud.com
.
ex-std-node551.prod.rhcloud.com is an alias for
ec2-54-165-213-223.compute-1.amazonaws.com.
ec2-54-165-213-223.compute-1.amazonaws.com has address 54.165.213.223

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Tue, Feb 16, 2016 at 10:43 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Brraaaaw....
> That also needs some serious clean up
>
> On Wed, Feb 17, 2016 at 12:38 AM, Tom Brennan - OWASP <tomb at owasp.org>
> wrote:
>
>> Test these *cough*
>>
>> Note ongoing ticket on why we have some of these active..
>>
>> lists.owasp.org
>> owasp4.owasp.org
>> ocms.owasp.org
>> ml1lists.owasp.org
>> ads.owasp.org
>> es.owasp.org
>> phpsec.owasp.org
>> alt2.aspmx.l.owasp.org
>> aspmx3.owasp.org
>> aspmx5.owasp.org
>> aspmx.l.owasp.org
>> alt1.aspmx.l.owasp.org
>> aspmx2.owasp.org
>> aspmx4.owasp.org
>> dns1.owasp.org
>> dns2.owasp.org
>> wiki.owasp.org
>> stage.owasp.org
>> sl.owasp.org
>> my.owasp.org
>> mail.owasp.org
>> jobs.owasp.org
>> groups.owasp.org
>> docs.owasp.org
>> contact.owasp.org
>> connect.owasp.org
>> calendar.owasp.org
>> austin.owasp.org
>> mxb.owasp.org
>> mxa.owasp.org
>> d15006a.ess.owasp.org
>> d15006b.ess.owasp.org
>> gs.owasp.org
>> mx.owasp.org
>> ww.owasp.org
>> old.owasp.org
>> rna.owasp.org
>> zig.owasp.org
>> _caldavs._tcp.owasp.org
>> _autodiscover._tcp.owasp.org
>> _sipfederationtls._tcp.owasp.org
>> ads2.owasp.org
>> alex.owasp.org
>> beta.owasp.org
>> clan.owasp.org
>> hwww.owasp.org
>> lain.owasp.org
>> liss.owasp.org
>> vb.liss.owasp.org
>> blog.liss.owasp.org
>> chat.liss.owasp.org
>> mybb.liss.owasp.org
>> wiki.liss.owasp.org
>> board.liss.owasp.org
>> forum.liss.owasp.org
>> piwik.liss.owasp.org
>> boards.liss.owasp.org
>> webstats.liss.owasp.org
>> analytics.liss.owasp.org
>> phpmyadmin.liss.owasp.org
>> rear.owasp.org
>> some.owasp.org
>> soup.owasp.org
>> www2.owasp.org
>> vb.www2.owasp.org
>> chat.www2.owasp.org
>> mybb.www2.owasp.org
>> wiki.www2.owasp.org
>> board.www2.owasp.org
>> piwik.www2.owasp.org
>> stats.www2.owasp.org
>> boards.www2.owasp.org
>> dokuwiki.www2.owasp.org
>> webstats.www2.owasp.org
>> analytics.www2.owasp.org
>> phpmyadmin.www2.owasp.org
>> blogs.owasp.org
>> vb.blogs.owasp.org
>> blog.blogs.owasp.org
>> chat.blogs.owasp.org
>> mybb.blogs.owasp.org
>> wiki.blogs.owasp.org
>> board.blogs.owasp.org
>> forum.blogs.owasp.org
>> piwik.blogs.owasp.org
>> stats.blogs.owasp.org
>> forums.blogs.owasp.org
>> dokuwiki.blogs.owasp.org
>> webstats.blogs.owasp.org
>> analytics.blogs.owasp.org
>> phpmyadmin.blogs.owasp.org
>> cache.owasp.org
>> fable.owasp.org
>> forum.owasp.org
>> vb.forum.owasp.org
>> blog.forum.owasp.org
>> chat.forum.owasp.org
>> mybb.forum.owasp.org
>> wiki.forum.owasp.org
>> board.forum.owasp.org
>> forum.forum.owasp.org
>> piwik.forum.owasp.org
>> stats.forum.owasp.org
>> boards.forum.owasp.org
>> forums.forum.owasp.org
>> dokuwiki.forum.owasp.org
>> webstats.forum.owasp.org
>> analytics.forum.owasp.org
>> phpmyadmin.forum.owasp.org
>> frill.owasp.org
>> gourd.owasp.org
>> graft.owasp.org
>> hayes.owasp.org
>> htwww.owasp.org
>> lucky.owasp.org
>> wendy.owasp.org
>> behest.owasp.org
>> drudge.owasp.org
>> dugout.owasp.org
>> httwww.owasp.org
>> inhale.owasp.org
>> medium.owasp.org
>> method.owasp.org
>> mockup.owasp.org
>> www.owasp.orgwww.owasp.org
>> second.owasp.org
>> switch.owasp.org
>> troupe.owasp.org
>> www.owasp.org
>> cameron.owasp.org
>> clobber.owasp.org
>> httpwww.owasp.org
>> mailman.owasp.org
>> w ww.owasp.org
>> lessons.webgoat.owasp.org
>> webmail.owasp.org
>> wiki191.owasp.org
>> vb.wiki191.owasp.org
>> blog.wiki191.owasp.org
>> chat.wiki191.owasp.org
>> mybb.wiki191.owasp.org
>> wiki.wiki191.owasp.org
>> board.wiki191.owasp.org
>> forum.wiki191.owasp.org
>> piwik.wiki191.owasp.org
>> stats.wiki191.owasp.org
>> boards.wiki191.owasp.org
>> forums.wiki191.owasp.org
>> dokuwiki.wiki191.owasp.org
>> webstats.wiki191.owasp.org
>> analytics.wiki191.owasp.org
>> phpmyadmin.wiki191.owasp.org
>> willful.owasp.org
>> woodhen.owasp.org
>> ww w.owasp.org
>> www.owasp.org
>> defector.owasp.org
>> flourish.owasp.org
>> freakish.owasp.org
>> httpswww.owasp.org
>> intimate.owasp.org
>> isopleth.owasp.org
>> chromatin.owasp.org
>> downgrade.owasp.org
>> electoral.owasp.org
>> handwrite.owasp.org
>> influence.owasp.org
>> infusible.owasp.org
>> metabolic.owasp.org
>> solipsism.owasp.org
>> _adsp._domainkey.owasp.org
>> _policy._domainkey.owasp.org
>> autoconfig.owasp.org
>> cunningham.owasp.org
>> manservant.owasp.org
>> origin-www.owasp.org
>> picosecond.owasp.org
>> redemption.owasp.org
>> strawberry.owasp.org
>> %3cbr%3ewww.owasp.org
>> owasp%20www.owasp.org
>> partnerpage.owasp.org
>> update-wiki.owasp.org
>> w%3cbr%3eww.owasp.org
>> ww%3cbr%3ew.owasp.org
>> www%3cbr%3e.owasp.org
>> autodiscover.owasp.org
>> edonkeycenter.owasp.org
>> vb.edonkeycenter.owasp.org
>> blog.edonkeycenter.owasp.org
>> chat.edonkeycenter.owasp.org
>> mybb.edonkeycenter.owasp.org
>> wiki.edonkeycenter.owasp.org
>> board.edonkeycenter.owasp.org
>> forum.edonkeycenter.owasp.org
>> piwik.edonkeycenter.owasp.org
>> stats.edonkeycenter.owasp.org
>> boards.edonkeycenter.owasp.org
>> dokuwiki.edonkeycenter.owasp.org
>> webstats.edonkeycenter.owasp.org
>> analytics.edonkeycenter.owasp.org
>> phpmyadmin.edonkeycenter.owasp.org
>> ns1.owasp.org
>> ns2.owasp.org
>> pdns01.owasp.org
>> pdns02.owasp.org
>> kerala.owasp.org
>>
>> Anyone who wants to play with a new DNS tool I am working on hit me up
>> off list.
>>
>> Tom Brennan
>> Global Board of Directors
>> NYC/NJ Metro Chapter Leader
>> (d) 973-506-9304
>>
>> OWASP Foundation | www.owasp.org
>>
>> On Tue, Feb 16, 2016 at 11:32 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Not, is about System admins that create many subdomains but each
>>> subdomain should have a proper level of access, and Set-Cookie is not
>>> properly setup for each subdomain so you can 'hop' from one subdomain to
>>> another rising the same cookie ;-)
>>>
>>> I tested the Cybertool, quite nice for analysing domains. In my case the
>>> sysadmin/web dev has been smart enough to set a proper robots file that
>>> does not allow spidering , so I don't get a list of the existing subdomains
>>> as the graphics you  sent. However I found something concerning regarding
>>> one of servers which seems to be in a black list....
>>>
>>> thanks for the tip, I'll tested further these days to find out more how
>>> it works
>>>
>>> Cheers
>>>
>>> On Wed, Feb 17, 2016 at 12:23 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> Are you referring to what is happening with the OWASP subdomains.
>>>>
>>>> Tom Brennan
>>>> Global Board of Directors
>>>> (d) 973-506-9304
>>>>
>>>> OWASP Foundation | www.owasp.org
>>>>
>>>> On Tue, Feb 16, 2016 at 4:03 AM, Ali Razmjoo <ali.razmjoo at owasp.org>
>>>> wrote:
>>>>
>>>>> Hello Johanna,
>>>>>
>>>>> I don't have much information, but like @Munir said, it could be use
>>>>> for insecure redirect and it's usable to phishing attacks,
>>>>> Seconds, it's you can access the original website, and sometimes it
>>>>> could be help us to bypassing firewall or wafs by that. [it could be useful
>>>>> if you feel server has a firewall which is blocking your request for
>>>>> testing a bug]
>>>>> 3rd, you may access to see restricted area, or internal servers/hosts
>>>>> by changing  your request, it's not easy to guess internal hosts or ip
>>>>> addresses, I don't see any software or scanner to do it for you. but it's
>>>>> not that hard if you have a live target and make a [python] script for
>>>>> this. you may test also some ports on target, you can bypass to access them
>>>>> [through http] to see there too.
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Hi Johanna,
>>>>>> Seeing again no revalidation is done , an attacker in my view would
>>>>>> also look for insecure direct object references hence accessing assets they
>>>>>> shouldn't .
>>>>>>
>>>>>> Munir Njenga,
>>>>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>>>>> Developer
>>>>>> Mob   (KE) +254 (0) 734960670
>>>>>>
>>>>>> =============================
>>>>>> Chapter Page: www.owasp.org/index.php/Kenya
>>>>>> Project Site:
>>>>>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>>>>>> Email: munir.njiru at owasp.org
>>>>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>>>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>>>>
>>>>>>
>>>>>> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Forgot to mention, other vulnerabilities than session fixation
>>>>>>>
>>>>>>> The situation is the following:
>>>>>>>
>>>>>>>
>>>>>>>    - A system admin has configured multiple subdomains under 1
>>>>>>>    server
>>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>>    showing subdomainB
>>>>>>>
>>>>>>> Questions
>>>>>>>
>>>>>>>
>>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>>    authentication (lets say impersonate and login into subdomainB application) other
>>>>>>>    than session fixation
>>>>>>>
>>>>>>>
>>>>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>>>>
>>>>>>>
>>>>>>>    - When I tested this using burp, I got a message 'Cookie scoped
>>>>>>>    to parent domain'(which off course allowed me to trick the server with the
>>>>>>>    Referer/host request tampering
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hi leaders
>>>>>>>>
>>>>>>>> I have a question I was looking for some info to understand surface
>>>>>>>> attack but could not find a specific case or documentation regarding this
>>>>>>>>
>>>>>>>> The situation is the following:
>>>>>>>>
>>>>>>>>
>>>>>>>>    - A system admin has configured multiple subdomains under 1
>>>>>>>>    server
>>>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>>>    showing subdomainB
>>>>>>>>
>>>>>>>> Questions
>>>>>>>>
>>>>>>>>
>>>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>>>    authentication (lets say impersonate and login into subdomainB application)
>>>>>>>>
>>>>>>>>
>>>>>>>>    - Are any other kind of risks associated with this
>>>>>>>>    vulnerability?
>>>>>>>>
>>>>>>>>
>>>>>>>>    - When I tested this using burp, I got a message 'Cookie scoped
>>>>>>>>    to parent domain'(which off course allowed me to trick the server with the
>>>>>>>>    Referer/host request tampering)
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> The information contained in this message and any attachments may be
>>>> privileged, confidential, proprietary or otherwise protected from
>>>> disclosure. If you, the reader of this message, are not the intended
>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>> copying or use of this message and any attachment is strictly prohibited.
>>>> If you have received this message in error, please notify the sender
>>>> immediately by replying to the message, permanently delete it from your
>>>> computer and destroy any printout.
>>>>
>>>
>>>
>>
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160217/8b808bba/attachment-0001.html>


More information about the OWASP-Leaders mailing list