[WEB SECURITY] Isolating web applications under the same domain name

Ryan Barnett rcbarnett at gmail.com
Thu Dec 20 12:26:34 EST 2012


Perhaps issuing different CSP headers for the different paths (with
different policies) vs. only once then they hit your main index page.

-Ryan

From:  Ahamed Nafeez <ahamednafeez at gmail.com>
Date:  Thursday, December 20, 2012 5:50 AM
To:  <websecurity at lists.webappsec.org>
Subject:  [WEB SECURITY] Isolating web applications under the same domain
name

> Hi all,
>  I was just wondering how could we isolate different web applications under
> the same domain name. Say my domain name is 'site.com <http://site.com> ' and
> I have my main web application running under "site.com/default/
> <http://site.com/default/> " . And let's say that I have an use case where I
> need to run a blog, so I might have another web application like say
> 'WordPress' running under ''site.com/blog <http://site.com/blog> ".
> 
> Now how can I isolate these two with respect to client side security. I'm
> already aware that according to the same-origin policy I can have my blog
> running under a different sub-domain like, blog.site.com
> <http://blog.site.com> .
> But, let's assume that I don't get a chance to do that (isoalting based on
> different domain / sub-domains).
> 
> One possible way is to set cookies with respect to path, but that can be
> eventually bypassed with an XSS in the vulnerable application by injecting the
> desired iFrame and reading from that.
> 
> Is there a better way to isolate web applications under the same domain ?
> 
> -- 
> Cheers,
> Nafeez
> 
> _______________________________________________ The Web Security Mailing List
> WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on
> LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter
> http://twitter.com/wascupdates websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20121220/44a7b865/attachment-0003.html>


More information about the websecurity mailing list