Cross-subdomain Session Fixation

Cross-subdomain Session Fixation
Cross-subdomain Session Fixation 

By Mike Bailey
September 2, 2010

Last fall I wrote a bit about cross-subdomain cookie attacks. As often 
as I come across more uses for them, I think that they are a much more 
serious issue than most people (myself included) have made them sound. 
Today, I came across a variant which I'd theorized about in the past, 
but never bothered to find in the wild, and I think it merits some 

You may be familiar with Hack Is Wack- a stupid marketing campaign from 
Norton/Symantec. The premise is simple: users submit videos, which are 
voted on, and the winner gets to roll with Snoop Dogg...'s manager. You 
may not know it, but most of Snoop's music is information 
security-related. "What's My Name" is about AuthN, "Drop it like it's 
Hot" is about SQL injection, not to mention constant references to cron, 
gzip, and other unix commands in his lyrics. It's really a pretty 
natural match.

At any rate, the Hack is Wack site is chock full of holes. For example, 
there's the publicly available, indexed cache directory with all that 
SQL, JSON and other data. There's the XSS vulns (HTML5 only, though it 
should be simple enough to rewrite), CSRF holes, and the Flash upload 
issues in the video upload script (a Joomla module that appears to have 
been used without any quality control or review despite the fact that 
it's currently in Alpha)


Subscribe to InfoSec News - 

Site design & layout copyright © 1986-2015 CodeGods