[WEB SECURITY] Isolating web applications under the same domain name

Amit Klein aksecurity at gmail.com
Thu Dec 20 13:53:49 EST 2012

Check out my "Path Insecurity" writeup (of few years ago):


On Thu, Dec 20, 2012 at 12:50 PM, Ahamed Nafeez <ahamednafeez at gmail.com> wrote:
> Hi all,
>  I was just wondering how could we isolate different web applications under
> the same domain name. Say my domain name is 'site.com' and I have my main
> web application running under "site.com/default/" . And let's say that I
> have an use case where I need to run a blog, so I might have another web
> application like say 'WordPress' running under ''site.com/blog".
> Now how can I isolate these two with respect to client side security. I'm
> already aware that according to the same-origin policy I can have my blog
> running under a different sub-domain like, blog.site.com.
> But, let's assume that I don't get a chance to do that (isoalting based on
> different domain / sub-domains).
> One possible way is to set cookies with respect to path, but that can be
> eventually bypassed with an XSS in the vulnerable application by injecting
> the desired iFrame and reading from that.
> Is there a better way to isolate web applications under the same domain ?
> --
> Cheers,
> Nafeez
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list