[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

Matt Tesauro matt.tesauro at owasp.org
Wed Feb 17 18:39:28 UTC 2016


Johanna et al,

The 10 stale DNS entries have been removed.

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Wed, Feb 17, 2016 at 12:04 PM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> Johanna,
>
> Of the 119 resolving records (206 minus 187), my review shows 10 stale DNS
> records.  That's 8.4% stale records for the resolving hostnames Tom
> provided.  For the entire list of 206 hostnames, that's 4.8% stale DNS
> records.
>
> The following stale DNS records will be removed:
> es.owasp.org has address 50.57.64.91
> wiki.owasp.org has address 192.237.166.62
> wiki.owasp.org has IPv6 address 2001:4801:7821:77:cd2c:d9de:ff10:170e
> wiki.owasp.org mail is handled by 10 mxa.mailgun.org.
> wiki.owasp.org mail is handled by 10 mxb.mailgun.org.
> stage.owasp.org has address 50.56.28.235
> jobs.owasp.org is an alias for owasp.org.
> connect.owasp.org has address 50.56.28.235
> update-wiki.owasp.org has address 67.207.155.190
> update-wiki.owasp.org has IPv6 address
> 2001:4801:7823:76:cd2c:d9de:ff10:ba46
>
> Consider the DNS cleaned up shortly.  As luck would have it, there's
> currently a problem with Rack's Cloud DNS:
>   "On 17 February 2016 at 09:15 CST, engineers became aware of an issue
> affecting DNS updates. At this time customers may experience delays of up
> to 30 minutes for DNS changes."
> see https://status.rackspace.com/index/viewincidents?group=14
>
> This is breaking the API and web interfaces to Rack's Cloud DNS.  As soon
> as the Cloud DNS issue is resolved at Rack, I'll remove the 10 stale
> entries assuming the support ticket I put in doesn't get handled first.
>
> I'll now go find and close the ticket raised.
>
> non-TLDR version:
>
> $ calc 206 - 87
> 119
> $ calc 10/119
> ~0.08403361344537815126
> $ calc 10/206
> ~0.04854368932038834951
> $ grep -v "not found" resolving-tom-b-host-list
> lists.owasp.org has address 162.209.12.188
> lists.owasp.org mail is handled by 10 d15006a.ess.barracudanetworks.com.
> lists.owasp.org mail is handled by 20 d15006b.ess.barracudanetworks.com.
> owasp4.owasp.org has address 198.101.154.205
> ocms.owasp.org has address 198.101.154.205
> es.owasp.org has address 50.57.64.91
> phpsec.owasp.org has address 198.101.154.205
> wiki.owasp.org has address 192.237.166.62
> wiki.owasp.org has IPv6 address 2001:4801:7821:77:cd2c:d9de:ff10:170e
> wiki.owasp.org mail is handled by 10 mxa.mailgun.org.
> wiki.owasp.org mail is handled by 10 mxb.mailgun.org.
> stage.owasp.org has address 50.56.28.235
> sl.owasp.org is an alias for ghs.google.com.
> ghs.google.com is an alias for ghs.l.google.com.
> ghs.l.google.com has address 64.233.180.121
> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c12::79
> my.owasp.org is an alias for myowasp.ning.com.
> myowasp.ning.com has address 208.82.16.68
> myowasp.ning.com mail is handled by 10 amx.ning.com.
> mail.owasp.org is an alias for ghs.google.com.
> ghs.google.com is an alias for ghs.l.google.com.
> ghs.l.google.com has address 64.233.168.121
> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c0c::79
> jobs.owasp.org is an alias for owasp.org.
> owasp.org has address 104.130.192.89
> owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
> owasp.org mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM.
> owasp.org mail is handled by 30 ASPMX2.GOOGLEMAIL.COM.
> owasp.org mail is handled by 30 ASPMX3.GOOGLEMAIL.COM.
> owasp.org mail is handled by 10 ASPMX.L.GOOGLE.COM.
> owasp.org mail is handled by 30 ASPMX5.GOOGLEMAIL.COM.
> owasp.org mail is handled by 20 ALT2.ASPMX.L.GOOGLE.COM.
> owasp.org mail is handled by 30 ASPMX4.GOOGLEMAIL.COM.
> groups.owasp.org is an alias for ghs.google.com.
> ghs.google.com is an alias for ghs.l.google.com.
> ghs.l.google.com has address 64.233.168.121
> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c07::79
> docs.owasp.org is an alias for ghs.google.com.
> ghs.google.com is an alias for ghs.l.google.com.
> ghs.l.google.com has address 108.177.9.121
> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c09::79
> contact.owasp.org has address 198.101.154.205
> connect.owasp.org has address 50.56.28.235
> calendar.owasp.org is an alias for ghs.google.com.
> ghs.google.com is an alias for ghs.l.google.com.
> ghs.l.google.com has address 108.177.9.121
> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c13::79
> austin.owasp.org is an alias for owasp.org.
> owasp.org has address 104.130.192.89
> owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
> owasp.org mail is handled by 10 ASPMX.L.GOOGLE.COM.
> owasp.org mail is handled by 30 ASPMX2.GOOGLEMAIL.COM.
> owasp.org mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM.
> owasp.org mail is handled by 30 ASPMX5.GOOGLEMAIL.COM.
> owasp.org mail is handled by 30 ASPMX3.GOOGLEMAIL.COM.
> owasp.org mail is handled by 20 ALT2.ASPMX.L.GOOGLE.COM.
> owasp.org mail is handled by 30 ASPMX4.GOOGLEMAIL.COM.
> www.owasp.org has address 104.130.192.89
> www.owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
> www.owasp.org has address 104.130.192.89
> www.owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
> origin-www.owasp.org has address 192.237.166.62
> update-wiki.owasp.org has address 67.207.155.190
> update-wiki.owasp.org has IPv6 address
> 2001:4801:7823:76:cd2c:d9de:ff10:ba46
> kerala.owasp.org is an alias for home-owaspkerala.rhcloud.com.
> home-owaspkerala.rhcloud.com is an alias for
> ex-std-node551.prod.rhcloud.com.
> ex-std-node551.prod.rhcloud.com is an alias for
> ec2-54-165-213-223.compute-1.amazonaws.com.
> ec2-54-165-213-223.compute-1.amazonaws.com has address 54.165.213.223
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
On Tue, Feb 16, 2016 at 10:43 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Brraaaaw....
> That also needs some serious clean up
>
> On Wed, Feb 17, 2016 at 12:38 AM, Tom Brennan - OWASP <tomb at owasp.org>
> wrote:
>
>> Test these *cough*
>>
>> Note ongoing ticket on why we have some of these active..
>>
>> lists.owasp.org
>> owasp4.owasp.org
>> ocms.owasp.org
>> ml1lists.owasp.org
>> ads.owasp.org
>> es.owasp.org
>> phpsec.owasp.org
>> alt2.aspmx.l.owasp.org
>> aspmx3.owasp.org
>> aspmx5.owasp.org
>> aspmx.l.owasp.org
>> alt1.aspmx.l.owasp.org
>> aspmx2.owasp.org
>> aspmx4.owasp.org
>> dns1.owasp.org
>> dns2.owasp.org
>> wiki.owasp.org
>> stage.owasp.org
>> sl.owasp.org
>> my.owasp.org
>> mail.owasp.org
>> jobs.owasp.org
>> groups.owasp.org
>> docs.owasp.org
>> contact.owasp.org
>> connect.owasp.org
>> calendar.owasp.org
>> austin.owasp.org
>> mxb.owasp.org
>> mxa.owasp.org
>> d15006a.ess.owasp.org
>> d15006b.ess.owasp.org
>> gs.owasp.org
>> mx.owasp.org
>> ww.owasp.org
>> old.owasp.org
>> rna.owasp.org
>> zig.owasp.org
>> _caldavs._tcp.owasp.org
>> _autodiscover._tcp.owasp.org
>> _sipfederationtls._tcp.owasp.org
>> ads2.owasp.org
>> alex.owasp.org
>> beta.owasp.org
>> clan.owasp.org
>> hwww.owasp.org
>> lain.owasp.org
>> liss.owasp.org
>> vb.liss.owasp.org
>> blog.liss.owasp.org
>> chat.liss.owasp.org
>> mybb.liss.owasp.org
>> wiki.liss.owasp.org
>> board.liss.owasp.org
>> forum.liss.owasp.org
>> piwik.liss.owasp.org
>> boards.liss.owasp.org
>> webstats.liss.owasp.org
>> analytics.liss.owasp.org
>> phpmyadmin.liss.owasp.org
>> rear.owasp.org
>> some.owasp.org
>> soup.owasp.org
>> www2.owasp.org
>> vb.www2.owasp.org
>> chat.www2.owasp.org
>> mybb.www2.owasp.org
>> wiki.www2.owasp.org
>> board.www2.owasp.org
>> piwik.www2.owasp.org
>> stats.www2.owasp.org
>> boards.www2.owasp.org
>> dokuwiki.www2.owasp.org
>> webstats.www2.owasp.org
>> analytics.www2.owasp.org
>> phpmyadmin.www2.owasp.org
>> blogs.owasp.org
>> vb.blogs.owasp.org
>> blog.blogs.owasp.org
>> chat.blogs.owasp.org
>> mybb.blogs.owasp.org
>> wiki.blogs.owasp.org
>> board.blogs.owasp.org
>> forum.blogs.owasp.org
>> piwik.blogs.owasp.org
>> stats.blogs.owasp.org
>> forums.blogs.owasp.org
>> dokuwiki.blogs.owasp.org
>> webstats.blogs.owasp.org
>> analytics.blogs.owasp.org
>> phpmyadmin.blogs.owasp.org
>> cache.owasp.org
>> fable.owasp.org
>> forum.owasp.org
>> vb.forum.owasp.org
>> blog.forum.owasp.org
>> chat.forum.owasp.org
>> mybb.forum.owasp.org
>> wiki.forum.owasp.org
>> board.forum.owasp.org
>> forum.forum.owasp.org
>> piwik.forum.owasp.org
>> stats.forum.owasp.org
>> boards.forum.owasp.org
>> forums.forum.owasp.org
>> dokuwiki.forum.owasp.org
>> webstats.forum.owasp.org
>> analytics.forum.owasp.org
>> phpmyadmin.forum.owasp.org
>> frill.owasp.org
>> gourd.owasp.org
>> graft.owasp.org
>> hayes.owasp.org
>> htwww.owasp.org
>> lucky.owasp.org
>> wendy.owasp.org
>> behest.owasp.org
>> drudge.owasp.org
>> dugout.owasp.org
>> httwww.owasp.org
>> inhale.owasp.org
>> medium.owasp.org
>> method.owasp.org
>> mockup.owasp.org
>> www.owasp.orgwww.owasp.org
>> second.owasp.org
>> switch.owasp.org
>> troupe.owasp.org
>> www.owasp.org
>> cameron.owasp.org
>> clobber.owasp.org
>> httpwww.owasp.org
>> mailman.owasp.org
>> w ww.owasp.org
>> lessons.webgoat.owasp.org
>> webmail.owasp.org
>> wiki191.owasp.org
>> vb.wiki191.owasp.org
>> blog.wiki191.owasp.org
>> chat.wiki191.owasp.org
>> mybb.wiki191.owasp.org
>> wiki.wiki191.owasp.org
>> board.wiki191.owasp.org
>> forum.wiki191.owasp.org
>> piwik.wiki191.owasp.org
>> stats.wiki191.owasp.org
>> boards.wiki191.owasp.org
>> forums.wiki191.owasp.org
>> dokuwiki.wiki191.owasp.org
>> webstats.wiki191.owasp.org
>> analytics.wiki191.owasp.org
>> phpmyadmin.wiki191.owasp.org
>> willful.owasp.org
>> woodhen.owasp.org
>> ww w.owasp.org
>> www.owasp.org
>> defector.owasp.org
>> flourish.owasp.org
>> freakish.owasp.org
>> httpswww.owasp.org
>> intimate.owasp.org
>> isopleth.owasp.org
>> chromatin.owasp.org
>> downgrade.owasp.org
>> electoral.owasp.org
>> handwrite.owasp.org
>> influence.owasp.org
>> infusible.owasp.org
>> metabolic.owasp.org
>> solipsism.owasp.org
>> _adsp._domainkey.owasp.org
>> _policy._domainkey.owasp.org
>> autoconfig.owasp.org
>> cunningham.owasp.org
>> manservant.owasp.org
>> origin-www.owasp.org
>> picosecond.owasp.org
>> redemption.owasp.org
>> strawberry.owasp.org
>> %3cbr%3ewww.owasp.org
>> owasp%20www.owasp.org
>> partnerpage.owasp.org
>> update-wiki.owasp.org
>> w%3cbr%3eww.owasp.org
>> ww%3cbr%3ew.owasp.org
>> www%3cbr%3e.owasp.org
>> autodiscover.owasp.org
>> edonkeycenter.owasp.org
>> vb.edonkeycenter.owasp.org
>> blog.edonkeycenter.owasp.org
>> chat.edonkeycenter.owasp.org
>> mybb.edonkeycenter.owasp.org
>> wiki.edonkeycenter.owasp.org
>> board.edonkeycenter.owasp.org
>> forum.edonkeycenter.owasp.org
>> piwik.edonkeycenter.owasp.org
>> stats.edonkeycenter.owasp.org
>> boards.edonkeycenter.owasp.org
>> dokuwiki.edonkeycenter.owasp.org
>> webstats.edonkeycenter.owasp.org
>> analytics.edonkeycenter.owasp.org
>> phpmyadmin.edonkeycenter.owasp.org
>> ns1.owasp.org
>> ns2.owasp.org
>> pdns01.owasp.org
>> pdns02.owasp.org
>> kerala.owasp.org
>>
>> Anyone who wants to play with a new DNS tool I am working on hit me up
>> off list.
>>
>> Tom Brennan
>> Global Board of Directors
>> NYC/NJ Metro Chapter Leader
>> (d) 973-506-9304
>>
>> OWASP Foundation | www.owasp.org
>>
>> On Tue, Feb 16, 2016 at 11:32 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Not, is about System admins that create many subdomains but each
>>> subdomain should have a proper level of access, and Set-Cookie is not
>>> properly setup for each subdomain so you can 'hop' from one subdomain to
>>> another rising the same cookie ;-)
>>>
>>> I tested the Cybertool, quite nice for analysing domains. In my case the
>>> sysadmin/web dev has been smart enough to set a proper robots file that
>>> does not allow spidering , so I don't get a list of the existing subdomains
>>> as the graphics you  sent. However I found something concerning regarding
>>> one of servers which seems to be in a black list....
>>>
>>> thanks for the tip, I'll tested further these days to find out more how
>>> it works
>>>
>>> Cheers
>>>
>>> On Wed, Feb 17, 2016 at 12:23 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> Are you referring to what is happening with the OWASP subdomains.
>>>>
>>>> Tom Brennan
>>>> Global Board of Directors
>>>> (d) 973-506-9304
>>>>
>>>> OWASP Foundation | www.owasp.org
>>>>
>>>> On Tue, Feb 16, 2016 at 4:03 AM, Ali Razmjoo <ali.razmjoo at owasp.org>
>>>> wrote:
>>>>
>>>>> Hello Johanna,
>>>>>
>>>>> I don't have much information, but like @Munir said, it could be use
>>>>> for insecure redirect and it's usable to phishing attacks,
>>>>> Seconds, it's you can access the original website, and sometimes it
>>>>> could be help us to bypassing firewall or wafs by that. [it could be useful
>>>>> if you feel server has a firewall which is blocking your request for
>>>>> testing a bug]
>>>>> 3rd, you may access to see restricted area, or internal servers/hosts
>>>>> by changing  your request, it's not easy to guess internal hosts or ip
>>>>> addresses, I don't see any software or scanner to do it for you. but it's
>>>>> not that hard if you have a live target and make a [python] script for
>>>>> this. you may test also some ports on target, you can bypass to access them
>>>>> [through http] to see there too.
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Hi Johanna,
>>>>>> Seeing again no revalidation is done , an attacker in my view would
>>>>>> also look for insecure direct object references hence accessing assets they
>>>>>> shouldn't .
>>>>>>
>>>>>> Munir Njenga,
>>>>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>>>>> Developer
>>>>>> Mob   (KE) +254 (0) 734960670
>>>>>>
>>>>>> =============================
>>>>>> Chapter Page: www.owasp.org/index.php/Kenya
>>>>>> Project Site:
>>>>>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>>>>>> Email: munir.njiru at owasp.org
>>>>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>>>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>>>>
>>>>>>
>>>>>> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Forgot to mention, other vulnerabilities than session fixation
>>>>>>>
>>>>>>> The situation is the following:
>>>>>>>
>>>>>>>
>>>>>>>    - A system admin has configured multiple subdomains under 1
>>>>>>>    server
>>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>>    showing subdomainB
>>>>>>>
>>>>>>> Questions
>>>>>>>
>>>>>>>
>>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>>    authentication (lets say impersonate and login into subdomainB application) other
>>>>>>>    than session fixation
>>>>>>>
>>>>>>>
>>>>>>>    - Are any other kind of risks associated with this vulnerability?
>>>>>>>
>>>>>>>
>>>>>>>    - When I tested this using burp, I got a message 'Cookie scoped
>>>>>>>    to parent domain'(which off course allowed me to trick the server with the
>>>>>>>    Referer/host request tampering
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Hi leaders
>>>>>>>>
>>>>>>>> I have a question I was looking for some info to understand surface
>>>>>>>> attack but could not find a specific case or documentation regarding this
>>>>>>>>
>>>>>>>> The situation is the following:
>>>>>>>>
>>>>>>>>
>>>>>>>>    - A system admin has configured multiple subdomains under 1
>>>>>>>>    server
>>>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>>>    showing subdomainB
>>>>>>>>
>>>>>>>> Questions
>>>>>>>>
>>>>>>>>
>>>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>>>    authentication (lets say impersonate and login into subdomainB application)
>>>>>>>>
>>>>>>>>
>>>>>>>>    - Are any other kind of risks associated with this
>>>>>>>>    vulnerability?
>>>>>>>>
>>>>>>>>
>>>>>>>>    - When I tested this using burp, I got a message 'Cookie scoped
>>>>>>>>    to parent domain'(which off course allowed me to trick the server with the
>>>>>>>>    Referer/host request tampering)
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> The information contained in this message and any attachments may be
>>>> privileged, confidential, proprietary or otherwise protected from
>>>> disclosure. If you, the reader of this message, are not the intended
>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>> copying or use of this message and any attachment is strictly prohibited.
>>>> If you have received this message in error, please notify the sender
>>>> immediately by replying to the message, permanently delete it from your
>>>> computer and destroy any printout.
>>>>
>>>
>>>
>>
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160217/898f5271/attachment-0001.html>


More information about the OWASP-Leaders mailing list