[Owasp-leaders] Subdomain issues (multiple subdomains redirect to different applications)

Matt Tesauro matt.tesauro at owasp.org
Thu Feb 18 00:45:51 UTC 2016


Johanna,

No worries.  I was also surprised by that long list of hostnames and
equally happy to discover that 96% of it wasn't actionable.

And now we have 10 less DNS records that point to nonexistent servers.

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
http://AppSecLive.org - Community and Download site
On Feb 17, 2016 1:31 PM, "johanna curiel curiel" <johanna.curiel at owasp.org>
wrote:

> *>>Of the list of 206 host names, 187 didn't resolve or 90.8% of those
> hostnames are bad - aka aren't in DNS*.  OWASP Foundation can control the
> DNS zone files but not what random people either want to link to on the
> Internet or perhaps non-authoritatively resolve.  If people on the Internet
> choose to create bad links or use non-authoritative DNS, that's their
> problem and something the OWASP Foundation has zero control over.
>
>
> Hi Matt,
>
> Thank for taking the time to verify and confirm this information with us.
> My excuses if I gave  the wrong impression, my reaction was based on the
> previous list which really impressed me.
>
> Cheers
>
> Johanna
>
> On Wed, Feb 17, 2016 at 2:04 PM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>
>> Johanna,
>>
>> Of the 119 resolving records (206 minus 187), my review shows 10 stale
>> DNS records.  That's 8.4% stale records for the resolving hostnames Tom
>> provided.  For the entire list of 206 hostnames, that's 4.8% stale DNS
>> records.
>>
>> The following stale DNS records will be removed:
>> es.owasp.org has address 50.57.64.91
>> wiki.owasp.org has address 192.237.166.62
>> wiki.owasp.org has IPv6 address 2001:4801:7821:77:cd2c:d9de:ff10:170e
>> wiki.owasp.org mail is handled by 10 mxa.mailgun.org.
>> wiki.owasp.org mail is handled by 10 mxb.mailgun.org.
>> stage.owasp.org has address 50.56.28.235
>> jobs.owasp.org is an alias for owasp.org.
>> connect.owasp.org has address 50.56.28.235
>> update-wiki.owasp.org has address 67.207.155.190
>> update-wiki.owasp.org has IPv6 address
>> 2001:4801:7823:76:cd2c:d9de:ff10:ba46
>>
>> Consider the DNS cleaned up shortly.  As luck would have it, there's
>> currently a problem with Rack's Cloud DNS:
>>   "On 17 February 2016 at 09:15 CST, engineers became aware of an issue
>> affecting DNS updates. At this time customers may experience delays of up
>> to 30 minutes for DNS changes."
>> see https://status.rackspace.com/index/viewincidents?group=14
>>
>> This is breaking the API and web interfaces to Rack's Cloud DNS.  As soon
>> as the Cloud DNS issue is resolved at Rack, I'll remove the 10 stale
>> entries assuming the support ticket I put in doesn't get handled first.
>>
>> I'll now go find and close the ticket raised.
>>
>> non-TLDR version:
>>
>> $ calc 206 - 87
>> 119
>> $ calc 10/119
>> ~0.08403361344537815126
>> $ calc 10/206
>> ~0.04854368932038834951
>> $ grep -v "not found" resolving-tom-b-host-list
>> lists.owasp.org has address 162.209.12.188
>> lists.owasp.org mail is handled by 10 d15006a.ess.barracudanetworks.com.
>> lists.owasp.org mail is handled by 20 d15006b.ess.barracudanetworks.com.
>> owasp4.owasp.org has address 198.101.154.205
>> ocms.owasp.org has address 198.101.154.205
>> es.owasp.org has address 50.57.64.91
>> phpsec.owasp.org has address 198.101.154.205
>> wiki.owasp.org has address 192.237.166.62
>> wiki.owasp.org has IPv6 address 2001:4801:7821:77:cd2c:d9de:ff10:170e
>> wiki.owasp.org mail is handled by 10 mxa.mailgun.org.
>> wiki.owasp.org mail is handled by 10 mxb.mailgun.org.
>> stage.owasp.org has address 50.56.28.235
>> sl.owasp.org is an alias for ghs.google.com.
>> ghs.google.com is an alias for ghs.l.google.com.
>> ghs.l.google.com has address 64.233.180.121
>> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c12::79
>> my.owasp.org is an alias for myowasp.ning.com.
>> myowasp.ning.com has address 208.82.16.68
>> myowasp.ning.com mail is handled by 10 amx.ning.com.
>> mail.owasp.org is an alias for ghs.google.com.
>> ghs.google.com is an alias for ghs.l.google.com.
>> ghs.l.google.com has address 64.233.168.121
>> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c0c::79
>> jobs.owasp.org is an alias for owasp.org.
>> owasp.org has address 104.130.192.89
>> owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
>> owasp.org mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM.
>> owasp.org mail is handled by 30 ASPMX2.GOOGLEMAIL.COM.
>> owasp.org mail is handled by 30 ASPMX3.GOOGLEMAIL.COM.
>> owasp.org mail is handled by 10 ASPMX.L.GOOGLE.COM.
>> owasp.org mail is handled by 30 ASPMX5.GOOGLEMAIL.COM.
>> owasp.org mail is handled by 20 ALT2.ASPMX.L.GOOGLE.COM.
>> owasp.org mail is handled by 30 ASPMX4.GOOGLEMAIL.COM.
>> groups.owasp.org is an alias for ghs.google.com.
>> ghs.google.com is an alias for ghs.l.google.com.
>> ghs.l.google.com has address 64.233.168.121
>> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c07::79
>> docs.owasp.org is an alias for ghs.google.com.
>> ghs.google.com is an alias for ghs.l.google.com.
>> ghs.l.google.com has address 108.177.9.121
>> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c09::79
>> contact.owasp.org has address 198.101.154.205
>> connect.owasp.org has address 50.56.28.235
>> calendar.owasp.org is an alias for ghs.google.com.
>> ghs.google.com is an alias for ghs.l.google.com.
>> ghs.l.google.com has address 108.177.9.121
>> ghs.l.google.com has IPv6 address 2607:f8b0:4003:c13::79
>> austin.owasp.org is an alias for owasp.org.
>> owasp.org has address 104.130.192.89
>> owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
>> owasp.org mail is handled by 10 ASPMX.L.GOOGLE.COM.
>> owasp.org mail is handled by 30 ASPMX2.GOOGLEMAIL.COM.
>> owasp.org mail is handled by 20 ALT1.ASPMX.L.GOOGLE.COM.
>> owasp.org mail is handled by 30 ASPMX5.GOOGLEMAIL.COM.
>> owasp.org mail is handled by 30 ASPMX3.GOOGLEMAIL.COM.
>> owasp.org mail is handled by 20 ALT2.ASPMX.L.GOOGLE.COM.
>> owasp.org mail is handled by 30 ASPMX4.GOOGLEMAIL.COM.
>> www.owasp.org has address 104.130.192.89
>> www.owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
>> www.owasp.org has address 104.130.192.89
>> www.owasp.org has IPv6 address 2001:4801:7828:101:be76:4eff:fe10:2b6e
>> origin-www.owasp.org has address 192.237.166.62
>> update-wiki.owasp.org has address 67.207.155.190
>> update-wiki.owasp.org has IPv6 address
>> 2001:4801:7823:76:cd2c:d9de:ff10:ba46
>> kerala.owasp.org is an alias for home-owaspkerala.rhcloud.com.
>> home-owaspkerala.rhcloud.com is an alias for
>> ex-std-node551.prod.rhcloud.com.
>> ex-std-node551.prod.rhcloud.com is an alias for
>> ec2-54-165-213-223.compute-1.amazonaws.com.
>> ec2-54-165-213-223.compute-1.amazonaws.com has address 54.165.213.223
>>
>> --
>> -- Matt Tesauro
>> OWASP AppSec Pipeline Lead
>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>> OWASP WTE Project Lead
>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>> site
>>
>>
>> On Tue, Feb 16, 2016 at 10:43 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Brraaaaw....
>>> That also needs some serious clean up
>>>
>>> On Wed, Feb 17, 2016 at 12:38 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>> wrote:
>>>
>>>> Test these *cough*
>>>>
>>>> Note ongoing ticket on why we have some of these active..
>>>>
>>>> lists.owasp.org
>>>> owasp4.owasp.org
>>>> ocms.owasp.org
>>>> ml1lists.owasp.org
>>>> ads.owasp.org
>>>> es.owasp.org
>>>> phpsec.owasp.org
>>>> alt2.aspmx.l.owasp.org
>>>> aspmx3.owasp.org
>>>> aspmx5.owasp.org
>>>> aspmx.l.owasp.org
>>>> alt1.aspmx.l.owasp.org
>>>> aspmx2.owasp.org
>>>> aspmx4.owasp.org
>>>> dns1.owasp.org
>>>> dns2.owasp.org
>>>> wiki.owasp.org
>>>> stage.owasp.org
>>>> sl.owasp.org
>>>> my.owasp.org
>>>> mail.owasp.org
>>>> jobs.owasp.org
>>>> groups.owasp.org
>>>> docs.owasp.org
>>>> contact.owasp.org
>>>> connect.owasp.org
>>>> calendar.owasp.org
>>>> austin.owasp.org
>>>> mxb.owasp.org
>>>> mxa.owasp.org
>>>> d15006a.ess.owasp.org
>>>> d15006b.ess.owasp.org
>>>> gs.owasp.org
>>>> mx.owasp.org
>>>> ww.owasp.org
>>>> old.owasp.org
>>>> rna.owasp.org
>>>> zig.owasp.org
>>>> _caldavs._tcp.owasp.org
>>>> _autodiscover._tcp.owasp.org
>>>> _sipfederationtls._tcp.owasp.org
>>>> ads2.owasp.org
>>>> alex.owasp.org
>>>> beta.owasp.org
>>>> clan.owasp.org
>>>> hwww.owasp.org
>>>> lain.owasp.org
>>>> liss.owasp.org
>>>> vb.liss.owasp.org
>>>> blog.liss.owasp.org
>>>> chat.liss.owasp.org
>>>> mybb.liss.owasp.org
>>>> wiki.liss.owasp.org
>>>> board.liss.owasp.org
>>>> forum.liss.owasp.org
>>>> piwik.liss.owasp.org
>>>> boards.liss.owasp.org
>>>> webstats.liss.owasp.org
>>>> analytics.liss.owasp.org
>>>> phpmyadmin.liss.owasp.org
>>>> rear.owasp.org
>>>> some.owasp.org
>>>> soup.owasp.org
>>>> www2.owasp.org
>>>> vb.www2.owasp.org
>>>> chat.www2.owasp.org
>>>> mybb.www2.owasp.org
>>>> wiki.www2.owasp.org
>>>> board.www2.owasp.org
>>>> piwik.www2.owasp.org
>>>> stats.www2.owasp.org
>>>> boards.www2.owasp.org
>>>> dokuwiki.www2.owasp.org
>>>> webstats.www2.owasp.org
>>>> analytics.www2.owasp.org
>>>> phpmyadmin.www2.owasp.org
>>>> blogs.owasp.org
>>>> vb.blogs.owasp.org
>>>> blog.blogs.owasp.org
>>>> chat.blogs.owasp.org
>>>> mybb.blogs.owasp.org
>>>> wiki.blogs.owasp.org
>>>> board.blogs.owasp.org
>>>> forum.blogs.owasp.org
>>>> piwik.blogs.owasp.org
>>>> stats.blogs.owasp.org
>>>> forums.blogs.owasp.org
>>>> dokuwiki.blogs.owasp.org
>>>> webstats.blogs.owasp.org
>>>> analytics.blogs.owasp.org
>>>> phpmyadmin.blogs.owasp.org
>>>> cache.owasp.org
>>>> fable.owasp.org
>>>> forum.owasp.org
>>>> vb.forum.owasp.org
>>>> blog.forum.owasp.org
>>>> chat.forum.owasp.org
>>>> mybb.forum.owasp.org
>>>> wiki.forum.owasp.org
>>>> board.forum.owasp.org
>>>> forum.forum.owasp.org
>>>> piwik.forum.owasp.org
>>>> stats.forum.owasp.org
>>>> boards.forum.owasp.org
>>>> forums.forum.owasp.org
>>>> dokuwiki.forum.owasp.org
>>>> webstats.forum.owasp.org
>>>> analytics.forum.owasp.org
>>>> phpmyadmin.forum.owasp.org
>>>> frill.owasp.org
>>>> gourd.owasp.org
>>>> graft.owasp.org
>>>> hayes.owasp.org
>>>> htwww.owasp.org
>>>> lucky.owasp.org
>>>> wendy.owasp.org
>>>> behest.owasp.org
>>>> drudge.owasp.org
>>>> dugout.owasp.org
>>>> httwww.owasp.org
>>>> inhale.owasp.org
>>>> medium.owasp.org
>>>> method.owasp.org
>>>> mockup.owasp.org
>>>> www.owasp.orgwww.owasp.org
>>>> second.owasp.org
>>>> switch.owasp.org
>>>> troupe.owasp.org
>>>> www.owasp.org
>>>> cameron.owasp.org
>>>> clobber.owasp.org
>>>> httpwww.owasp.org
>>>> mailman.owasp.org
>>>> w ww.owasp.org
>>>> lessons.webgoat.owasp.org
>>>> webmail.owasp.org
>>>> wiki191.owasp.org
>>>> vb.wiki191.owasp.org
>>>> blog.wiki191.owasp.org
>>>> chat.wiki191.owasp.org
>>>> mybb.wiki191.owasp.org
>>>> wiki.wiki191.owasp.org
>>>> board.wiki191.owasp.org
>>>> forum.wiki191.owasp.org
>>>> piwik.wiki191.owasp.org
>>>> stats.wiki191.owasp.org
>>>> boards.wiki191.owasp.org
>>>> forums.wiki191.owasp.org
>>>> dokuwiki.wiki191.owasp.org
>>>> webstats.wiki191.owasp.org
>>>> analytics.wiki191.owasp.org
>>>> phpmyadmin.wiki191.owasp.org
>>>> willful.owasp.org
>>>> woodhen.owasp.org
>>>> ww w.owasp.org
>>>> www.owasp.org
>>>> defector.owasp.org
>>>> flourish.owasp.org
>>>> freakish.owasp.org
>>>> httpswww.owasp.org
>>>> intimate.owasp.org
>>>> isopleth.owasp.org
>>>> chromatin.owasp.org
>>>> downgrade.owasp.org
>>>> electoral.owasp.org
>>>> handwrite.owasp.org
>>>> influence.owasp.org
>>>> infusible.owasp.org
>>>> metabolic.owasp.org
>>>> solipsism.owasp.org
>>>> _adsp._domainkey.owasp.org
>>>> _policy._domainkey.owasp.org
>>>> autoconfig.owasp.org
>>>> cunningham.owasp.org
>>>> manservant.owasp.org
>>>> origin-www.owasp.org
>>>> picosecond.owasp.org
>>>> redemption.owasp.org
>>>> strawberry.owasp.org
>>>> %3cbr%3ewww.owasp.org
>>>> owasp%20www.owasp.org
>>>> partnerpage.owasp.org
>>>> update-wiki.owasp.org
>>>> w%3cbr%3eww.owasp.org
>>>> ww%3cbr%3ew.owasp.org
>>>> www%3cbr%3e.owasp.org
>>>> autodiscover.owasp.org
>>>> edonkeycenter.owasp.org
>>>> vb.edonkeycenter.owasp.org
>>>> blog.edonkeycenter.owasp.org
>>>> chat.edonkeycenter.owasp.org
>>>> mybb.edonkeycenter.owasp.org
>>>> wiki.edonkeycenter.owasp.org
>>>> board.edonkeycenter.owasp.org
>>>> forum.edonkeycenter.owasp.org
>>>> piwik.edonkeycenter.owasp.org
>>>> stats.edonkeycenter.owasp.org
>>>> boards.edonkeycenter.owasp.org
>>>> dokuwiki.edonkeycenter.owasp.org
>>>> webstats.edonkeycenter.owasp.org
>>>> analytics.edonkeycenter.owasp.org
>>>> phpmyadmin.edonkeycenter.owasp.org
>>>> ns1.owasp.org
>>>> ns2.owasp.org
>>>> pdns01.owasp.org
>>>> pdns02.owasp.org
>>>> kerala.owasp.org
>>>>
>>>> Anyone who wants to play with a new DNS tool I am working on hit me up
>>>> off list.
>>>>
>>>> Tom Brennan
>>>> Global Board of Directors
>>>> NYC/NJ Metro Chapter Leader
>>>> (d) 973-506-9304
>>>>
>>>> OWASP Foundation | www.owasp.org
>>>>
>>>> On Tue, Feb 16, 2016 at 11:32 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Not, is about System admins that create many subdomains but each
>>>>> subdomain should have a proper level of access, and Set-Cookie is not
>>>>> properly setup for each subdomain so you can 'hop' from one subdomain to
>>>>> another rising the same cookie ;-)
>>>>>
>>>>> I tested the Cybertool, quite nice for analysing domains. In my case
>>>>> the sysadmin/web dev has been smart enough to set a proper robots file that
>>>>> does not allow spidering , so I don't get a list of the existing subdomains
>>>>> as the graphics you  sent. However I found something concerning regarding
>>>>> one of servers which seems to be in a black list....
>>>>>
>>>>> thanks for the tip, I'll tested further these days to find out more
>>>>> how it works
>>>>>
>>>>> Cheers
>>>>>
>>>>> On Wed, Feb 17, 2016 at 12:23 AM, Tom Brennan - OWASP <tomb at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Are you referring to what is happening with the OWASP subdomains.
>>>>>>
>>>>>> Tom Brennan
>>>>>> Global Board of Directors
>>>>>> (d) 973-506-9304
>>>>>>
>>>>>> OWASP Foundation | www.owasp.org
>>>>>>
>>>>>> On Tue, Feb 16, 2016 at 4:03 AM, Ali Razmjoo <ali.razmjoo at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello Johanna,
>>>>>>>
>>>>>>> I don't have much information, but like @Munir said, it could be use
>>>>>>> for insecure redirect and it's usable to phishing attacks,
>>>>>>> Seconds, it's you can access the original website, and sometimes it
>>>>>>> could be help us to bypassing firewall or wafs by that. [it could be useful
>>>>>>> if you feel server has a firewall which is blocking your request for
>>>>>>> testing a bug]
>>>>>>> 3rd, you may access to see restricted area, or internal
>>>>>>> servers/hosts by changing  your request, it's not easy to guess internal
>>>>>>> hosts or ip addresses, I don't see any software or scanner to do it for
>>>>>>> you. but it's not that hard if you have a live target and make a [python]
>>>>>>> script for this. you may test also some ports on target, you can bypass to
>>>>>>> access them [through http] to see there too.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Feb 16, 2016 at 10:56 AM, Munir Njiru <munir.njiru at owasp.org
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Hi Johanna,
>>>>>>>> Seeing again no revalidation is done , an attacker in my view would
>>>>>>>> also look for insecure direct object references hence accessing assets they
>>>>>>>> shouldn't .
>>>>>>>>
>>>>>>>> Munir Njenga,
>>>>>>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>>>>>>> Developer
>>>>>>>> Mob   (KE) +254 (0) 734960670
>>>>>>>>
>>>>>>>> =============================
>>>>>>>> Chapter Page: www.owasp.org/index.php/Kenya
>>>>>>>> Project Site:
>>>>>>>> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
>>>>>>>> Email: munir.njiru at owasp.org
>>>>>>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>>>>>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Feb 16, 2016 at 7:42 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Forgot to mention, other vulnerabilities than session fixation
>>>>>>>>>
>>>>>>>>> The situation is the following:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    - A system admin has configured multiple subdomains under 1
>>>>>>>>>    server
>>>>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>>>>    - However, session ids are not properly validated as userA can
>>>>>>>>>    request on subdomain_A a and use the same session id if he browses to
>>>>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>>>>    showing subdomainB
>>>>>>>>>
>>>>>>>>> Questions
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>>>>    authentication (lets say impersonate and login into subdomainB application) other
>>>>>>>>>    than session fixation
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    - Are any other kind of risks associated with this
>>>>>>>>>    vulnerability?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    - When I tested this using burp, I got a message 'Cookie
>>>>>>>>>    scoped to parent domain'(which off course allowed me to trick the server
>>>>>>>>>    with the Referer/host request tampering
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Feb 15, 2016 at 10:07 PM, johanna curiel curiel <
>>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>>
>>>>>>>>>> Hi leaders
>>>>>>>>>>
>>>>>>>>>> I have a question I was looking for some info to understand
>>>>>>>>>> surface attack but could not find a specific case or documentation
>>>>>>>>>> regarding this
>>>>>>>>>>
>>>>>>>>>> The situation is the following:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>    - A system admin has configured multiple subdomains under 1
>>>>>>>>>>    server
>>>>>>>>>>    - A reverse proxy redirects to subdomains
>>>>>>>>>>    - However, session ids are not properly validated as userA
>>>>>>>>>>    can request on subdomain_A a and use the same session id if he browses to
>>>>>>>>>>    subdomainB (the server/applicatiopn does not revalidate a new session again)
>>>>>>>>>>    - After temp[eraing with header requests such as Referer and
>>>>>>>>>>    Host, I'm able to show inn the URL I'm in subdomainB however I'm userA.
>>>>>>>>>>    Funny enough the application shown is from SudomainA buit the URL is
>>>>>>>>>>    showing subdomainB
>>>>>>>>>>
>>>>>>>>>> Questions
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>    - What are the possible attack vectors to bypass the
>>>>>>>>>>    authentication (lets say impersonate and login into subdomainB application)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>    - Are any other kind of risks associated with this
>>>>>>>>>>    vulnerability?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>    - When I tested this using burp, I got a message 'Cookie
>>>>>>>>>>    scoped to parent domain'(which off course allowed me to trick the server
>>>>>>>>>>    with the Referer/host request tampering)
>>>>>>>>>>
>>>>>>>>>> Cheers
>>>>>>>>>>
>>>>>>>>>> Johanna
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> The information contained in this message and any attachments may be
>>>>>> privileged, confidential, proprietary or otherwise protected from
>>>>>> disclosure. If you, the reader of this message, are not the intended
>>>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>>>> copying or use of this message and any attachment is strictly prohibited.
>>>>>> If you have received this message in error, please notify the sender
>>>>>> immediately by replying to the message, permanently delete it from your
>>>>>> computer and destroy any printout.
>>>>>>
>>>>>
>>>>>
>>>>
>>>> The information contained in this message and any attachments may be
>>>> privileged, confidential, proprietary or otherwise protected from
>>>> disclosure. If you, the reader of this message, are not the intended
>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>> copying or use of this message and any attachment is strictly prohibited.
>>>> If you have received this message in error, please notify the sender
>>>> immediately by replying to the message, permanently delete it from your
>>>> computer and destroy any printout.
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160217/22be219a/attachment-0001.html>


More information about the OWASP-Leaders mailing list