[WEB SECURITY] Isolating web applications under the same domain name

Ahamed Nafeez ahamednafeez at gmail.com
Thu Dec 20 05:50:13 EST 2012


Hi all,
 I was just wondering how could we isolate different web applications under
the same domain name. Say my domain name is 'site.com' and I have my main
web application running under "site.com/default/" . And let's say that I
have an use case where I need to run a blog, so I might have another web
application like say 'WordPress' running under ''site.com/blog".

Now how can I isolate these two with respect to client side security. I'm
already aware that according to the same-origin policy I can have my blog
running under a different sub-domain like, blog.site.com.
But, let's assume that I don't get a chance to do that (isoalting based on
different domain / sub-domains).

One possible way is to set cookies with respect to path, but that can be
eventually bypassed with an XSS in the vulnerable application by injecting
the desired iFrame and reading from that.

Is there a better way to isolate web applications under the same domain ?

-- 
Cheers,
Nafeez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20121220/f8758162/attachment-0003.html>


More information about the websecurity mailing list