<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv=Content-Type content="text/html; charset=windows-1251">
<META content="MSHTML 6.00.2900.2180" name=GENERATOR>
<DIV>Such thing as putting multiple web applications on the same site (on the
same domain) is very widespread in Internet. I saw it already in 1998 and used
such approach at many of my sites (if since 1999, when I've started web
developing I did only with my own webapps, then since 2006 I became dealing also
with third-party webapps at the same domain).</DIV>
<DIV>I see two different tendencies: 1) increasing using of multiple web
applications at the same site (and in rare cases different subdomain are used,
mostly it's one domain) and 2) centralization in one main web application.</DIV>
<DIV>The last tendency I see for last 7 years with increasing of popularity of
CMS webapps. New webapps are creating as plugins for CMS, so admin of web site
put one CMS and plugins for it and receive all the functionality he/she want,
which earlier was possible only with separate webapps. Both conceptions
(decentralized and centralized) have the same security issues, including
<DIV>Most web site owners just install webapps into their sites, without
worrying about any isolations and security concerns, but there are such who
cares about it. So it's good that you asked.</DIV>
<DIV>The known strategies for your task are putting on different
sub-domains or even domains, both of which are not suitable for you, and to
put in different folder. But as Amit told you, using different cookies
paths is not reliable solution. But there one more strategy.</DIV>
<DIV>> Now how can I isolate these two with respect to client side security.
<DIV>Regardless of how you will secure all webapps at one domain from
client-side perspective, there are always server-side part of security (in this
case different domains at different servers are better then just
different sub-domains). So eliminating all client-side holes is not enough and
the more webapps you put at one site, the more risks there will be.</DIV>
<DIV>Another solution for isolating purposes (concerning cookie
protection) is to use special methods. They can be easily deployed at all
webapps on the site and so it helps to solve your task. But at that these
methods fixing only part of the problem (like cookie stealing), not the whole
range of client-side attacks. In any case the only 100% solution is to find
and fix all vulnerabilities.</DIV>
<DIV>I've developed one such method in the begging of 2008 and still not
published it, but your letter to the list reminded me about it. So I decided to
write series of articles about such methods of protection from XSS.
Recently I've wrote about one such method - it's HttpOnly property for cookies.
I don't respect it, never was and never will (and earlier wrote about its
shortcomings), but there is such method with its pros and contras. Soon
I'll write the next article, in which I'll describe my method (which
have some advantages before HttpOnly, particularly it works as in new, as
in older browsers - it's funky method). After I'll publish that article,
I'll write about it to the list, so you'll be aware about my method ;-).</DIV>
<DIV><FONT face=Arial>Best wishes & regards,<BR>Eugene Dokukin aka
MustLive<BR>Administrator of Websecurity web site<BR><A
<DIV>Ahamed Nafeez ahamednafeez at gmail.com<BR>Thu Dec 20 05:50:13 EST
I was just wondering how could we isolate different web applications under
the same domain name. Say my domain name is 'site.com' and I have my main
web application running under "site.com/default/" . And let's say that I
have an use case where I need to run a blog, so I might have another web
application like say 'WordPress' running under ''site.com/blog".
Now how can I isolate these two with respect to client side security. I'm
already aware that according to the same-origin policy I can have my blog
running under a different sub-domain like, blog.site.com.
But, let's assume that I don't get a chance to do that (isoalting based on
different domain / sub-domains).
One possible way is to set cookies with respect to path, but that can be
eventually bypassed with an XSS in the vulnerable application by injecting
the desired iFrame and reading from that.
Is there a better way to isolate web applications under the same domain ?