[WEB SECURITY] Isolating web applications under the same domain name

James Kettle albinowax at gmail.com
Mon Dec 31 15:31:30 EST 2012


I believe the same origin policy takes the protocol of a URI into 
account. As such, with some careful server configuration you could have 
two separate web applications on one domain; http://site.com and 
https://site.com . Cookies would need to be flagged as httponly for both 
sites, and secure for the latter.

This is, of course, a terrible idea. As with the sub-domain approach, an 
XSS vulnerability in one site can be used to inject cookies onto the 
other. Plugins, password managers, users, geolocation whitelists and the 
like may fail to recognise the distinction between the two sites, and 
there are probably several critical flaws that I've failed to notice.

James


On 12/20/2012 10:50 AM, Ahamed Nafeez wrote:
> Hi all,
>  I was just wondering how could we isolate different web applications 
> under the same domain name. Say my domain name is 'site.com 
> <http://site.com>' and I have my main web application running under 
> "site.com/default/ <http://site.com/default/>" . And let's say that I 
> have an use case where I need to run a blog, so I might have another 
> web application like say 'WordPress' running under ''site.com/blog 
> <http://site.com/blog>".
>
> Now how can I isolate these two with respect to client side security. 
> I'm already aware that according to the same-origin policy I can have 
> my blog running under a different sub-domain like, blog.site.com 
> <http://blog.site.com>.
> But, let's assume that I don't get a chance to do that (isoalting 
> based on different domain / sub-domains).
>
> One possible way is to set cookies with respect to path, but that can 
> be eventually bypassed with an XSS in the vulnerable application by 
> injecting the desired iFrame and reading from that.
>
> Is there a better way to isolate web applications under the same domain ?
>
> -- 
> Cheers,
> Nafeez
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20121231/c7fa7b88/attachment-0003.html>


More information about the websecurity mailing list