By Kelly Jackson Higgins
Nov 05, 2009
Turns out an exploit on a Website's subdomain can be used to attack the
main domain: A researcher has released a proof-of-concept showing how
cookies can be abused to execute such an insidious attack.
Michael Bailey, senior researcher for Foreground Security, published a
paper this week that demonstrates how an exploit in a subdomain, such as
mail.google.com, could be used to hack the main production domain,
google.com, all because of the way browsers handle cookies.
"There's no specific vulnerability here, but it's widening the attack
surface for any large organization that has more than one [Web] server
set up. A [vulnerability] in any one of those servers can affect all the
rest," Bailey says.
Most Web developers aren't aware that a vulnerability in a subdomain
could be used to target the main domain. "We're trying to get the
message out that now you have to treat everything [in the domain] as
though someone can compromise your crown jewels," says Michael Murray,
CSO for Foreground. "You have to realize that every vulnerability, every
attack vector in those subdomains, can be used to compromise [other
areas of the domain]," he says.
It all boils down to the browsers themselves. Within the DNS
architecture, the main domain -- fortune500company.com, for instance --
has control over its subdomains, such as
development.fortune500company.com. Development.fortune500company.com has
no authority to change anything on the main fortune500company.com site.
But browsers do the reverse, Murray says.
Development.fortune500company.com can set cookies for
fortune500company.com, the main domain. That leaves the door open for
cookie-tampering, he says, when the subdomain has an exploitable
vulnerability, such as cross-site scripting (XSS) or cross-site request
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News