[ISN] Little-Known Hole Lets Attacker Hit Main Website Domain Via Its Subdomains

InfoSec News alerts at infosecnews.org
Fri Nov 6 00:36:32 CST 2009 

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221600496

By Kelly Jackson Higgins
DarkReading
Nov 05, 2009 

Turns out an exploit on a Website's subdomain can be used to attack the 
main domain: A researcher has released a proof-of-concept showing how 
cookies can be abused to execute such an insidious attack.

Michael Bailey, senior researcher for Foreground Security, published a 
paper this week that demonstrates how an exploit in a subdomain, such as 
mail.google.com, could be used to hack the main production domain, 
google.com, all because of the way browsers handle cookies.

"There's no specific vulnerability here, but it's widening the attack 
surface for any large organization that has more than one [Web] server 
set up. A [vulnerability] in any one of those servers can affect all the 
rest," Bailey says.

Most Web developers aren't aware that a vulnerability in a subdomain 
could be used to target the main domain. "We're trying to get the 
message out that now you have to treat everything [in the domain] as 
though someone can compromise your crown jewels," says Michael Murray, 
CSO for Foreground. "You have to realize that every vulnerability, every 
attack vector in those subdomains, can be used to compromise [other 
areas of the domain]," he says.

It all boils down to the browsers themselves. Within the DNS 
architecture, the main domain -- fortune500company.com, for instance -- 
has control over its subdomains, such as 
development.fortune500company.com. Development.fortune500company.com has 
no authority to change anything on the main fortune500company.com site.

But browsers do the reverse, Murray says. 
Development.fortune500company.com can set cookies for 
fortune500company.com, the main domain. That leaves the door open for 
cookie-tampering, he says, when the subdomain has an exploitable 
vulnerability, such as cross-site scripting (XSS) or cross-site request 
forgery (CSRF).

[...]

More information about the ISN mailing list