[WEB SECURITY] document.domain / application security perimeter

application.secure application.secure application.secure at gmail.com
Tue May 13 03:35:16 EDT 2008


Hello,

I 've recently faced up to the document.domain usage in an application that
we review.
Developpers use this javascript command to allow javascript communication
between 2 differents subdomains in the company.
In this case that was not really a security problem.

But in point of view of an attacker this feature could be interesting.
Imagine a big company  with 2 differents applications hosted on 2
subdomains.
application 1 => subdomain1.company.com
application 2 => subdomain2.company.com

The first application is an e-commerce which is critical for application
security (company spends time and money to secure this application).
The second one is developped and managed by marketing service and is less
critical.

The first application is well protected against XSS(complete input
validation) but it contains one issue: somewhere in the application you can
inject and execute document.domain="company.com"

The second one contains a lot of XSS basic issues so you can inject and
execute a lots of XSS commands.

By initializing document.domain=company.com in the second application, all
XSS injected in this application can access the first application.
The attacker has full control of application 1 via application 2.

One small issue in your application extends your security perimeter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080513/1df5c75a/attachment.html>


More information about the websecurity mailing list