[WEB SECURITY] Isolating web applications under the same domain name

MustLive mustlive at websecurity.com.ua
Wed Dec 26 16:55:57 EST 2012

Hi Nafeez!

Such thing as putting multiple web applications on the same site (on the same domain) is very widespread in Internet. I saw it already in 1998 and used such approach at many of my sites (if since 1999, when I've started web developing I did only with my own webapps, then since 2006 I became dealing also with third-party webapps at the same domain).

I see two different tendencies: 1) increasing using of multiple web applications at the same site (and in rare cases different subdomain are used, mostly it's one domain) and 2) centralization in one main web application.

The last tendency I see for last 7 years with increasing of popularity of CMS webapps. New webapps are creating as plugins for CMS, so admin of web site put one CMS and plugins for it and receive all the functionality he/she want, which earlier was possible only with separate webapps. Both conceptions (decentralized and centralized) have the same security issues, including client-side.

Most web site owners just install webapps into their sites, without worrying about any isolations and security concerns, but there are such who cares about it. So it's good that you asked.

The known strategies for your task are putting on different sub-domains or even domains, both of which are not suitable for you, and to put in different folder. But as Amit told you, using different cookies paths is not reliable solution. But there one more strategy.

> Now how can I isolate these two with respect to client side security. 

Regardless of how you will secure all webapps at one domain from client-side perspective, there are always server-side part of security (in this case different domains at different servers are better then just different sub-domains). So eliminating all client-side holes is not enough and the more webapps you put at one site, the more risks there will be.

Another solution for isolating purposes (concerning cookie protection) is to use special methods. They can be easily deployed at all webapps on the site and so it helps to solve your task. But at that these methods fixing only part of the problem (like cookie stealing), not the whole range of client-side attacks. In any case the only 100% solution is to find and fix all vulnerabilities.

I've developed one such method in the begging of 2008 and still not published it, but your letter to the list reminded me about it. So I decided to write series of articles about such methods of protection from XSS. Recently I've wrote about one such method - it's HttpOnly property for cookies. I don't respect it, never was and never will (and earlier wrote about its shortcomings), but there is such method with its pros and contras. Soon I'll write the next article, in which I'll describe my method (which have some advantages before HttpOnly, particularly it works as in new, as in older browsers - it's funky method). After I'll publish that article, I'll write about it to the list, so you'll be aware about my method ;-).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site

Ahamed Nafeez ahamednafeez at gmail.com
Thu Dec 20 05:50:13 EST 2012
Hi all,
 I was just wondering how could we isolate different web applications under
the same domain name. Say my domain name is 'site.com' and I have my main
web application running under "site.com/default/" . And let's say that I
have an use case where I need to run a blog, so I might have another web
application like say 'WordPress' running under ''site.com/blog".

Now how can I isolate these two with respect to client side security. I'm
already aware that according to the same-origin policy I can have my blog
running under a different sub-domain like, blog.site.com.
But, let's assume that I don't get a chance to do that (isoalting based on
different domain / sub-domains).

One possible way is to set cookies with respect to path, but that can be
eventually bypassed with an XSS in the vulnerable application by injecting
the desired iFrame and reading from that.

Is there a better way to isolate web applications under the same domain ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20121226/6cef967c/attachment-0003.html>

More information about the websecurity mailing list