Isolating web applications under the same domain name
Hi all,
I was just wondering how could we isolate different web applications under
the same domain name. Say my domain name is 'site.com' and I have my main
web application running under "site.com/default/" . And let's say that I
have an use case where I need to run a blog, so I might have another web
application like say 'WordPress' running under ''site.com/blog".
Now how can I isolate these two with respect to client side security. I'm
already aware that according to the same-origin policy I can have my blog
running under a different sub-domain like, blog.site.com.
But, let's assume that I don't get a chance to do that (isoalting based on
different domain / sub-domains).
One possible way is to set cookies with respect to path, but that can be
eventually bypassed with an XSS in the vulnerable application by injecting
the desired iFrame and reading from that.
Is there a better way to isolate web applications under the same domain ?
--
Cheers,
Nafeez
Perhaps issuing different CSP headers for the different paths (with
different policies) vs. only once then they hit your main index page.
-Ryan
From: Ahamed Nafeez ahamednafeez@gmail.com
Date: Thursday, December 20, 2012 5:50 AM
To: websecurity@lists.webappsec.org
Subject: [WEB SECURITY] Isolating web applications under the same domain
name
Hi all,
I was just wondering how could we isolate different web applications under
the same domain name. Say my domain name is 'site.com http://site.com ' and
I have my main web application running under "site.com/default/
http://site.com/default/ " . And let's say that I have an use case where I
need to run a blog, so I might have another web application like say
'WordPress' running under ''site.com/blog http://site.com/blog ".
Now how can I isolate these two with respect to client side security. I'm
already aware that according to the same-origin policy I can have my blog
running under a different sub-domain like, blog.site.com
http://blog.site.com .
But, let's assume that I don't get a chance to do that (isoalting based on
different domain / sub-domains).
One possible way is to set cookies with respect to path, but that can be
eventually bypassed with an XSS in the vulnerable application by injecting the
desired iFrame and reading from that.
Is there a better way to isolate web applications under the same domain ?
--
Cheers,
Nafeez
_______________________________________________ The Web Security Mailing List
WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on
LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter
http://twitter.com/wascupdates websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi,
I was just wondering how could we isolate different web applications
under the same domain name. Say my domain name is 'site.com
http://site.com' and I have my main web application running under
"site.com/default/ http://site.com/default/" . And let's say that I
have an use case where I need to run a blog, so I might have another
web application like say 'WordPress' running under ''site.com/blog
http://site.com/blog".
Your best bet is to use separate subdomains - blog.site.com,
default.site.com, etc.
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
Check out my "Path Insecurity" writeup (of few years ago):
http://www.securityfocus.com/archive/107/426420
Thanks,
-Amit
On Thu, Dec 20, 2012 at 12:50 PM, Ahamed Nafeez ahamednafeez@gmail.com wrote:
Hi all,
I was just wondering how could we isolate different web applications under
the same domain name. Say my domain name is 'site.com' and I have my main
web application running under "site.com/default/" . And let's say that I
have an use case where I need to run a blog, so I might have another web
application like say 'WordPress' running under ''site.com/blog".
Now how can I isolate these two with respect to client side security. I'm
already aware that according to the same-origin policy I can have my blog
running under a different sub-domain like, blog.site.com.
But, let's assume that I don't get a chance to do that (isoalting based on
different domain / sub-domains).
One possible way is to set cookies with respect to path, but that can be
eventually bypassed with an XSS in the vulnerable application by injecting
the desired iFrame and reading from that.
Is there a better way to isolate web applications under the same domain ?
--
Cheers,
Nafeez
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi,
is using a reverse proxy server an option for you?
regards,
Junior
On Thu, Dec 20, 2012 at 5:50 PM, Ahamed Nafeez ahamednafeez@gmail.comwrote:
Is there a better way to isolate web applications under the same domain ?
--
Cheers,
Nafeez
I believe the same origin policy takes the protocol of a URI into
account. As such, with some careful server configuration you could have
two separate web applications on one domain; http://site.com and
https://site.com . Cookies would need to be flagged as httponly for both
sites, and secure for the latter.
This is, of course, a terrible idea. As with the sub-domain approach, an
XSS vulnerability in one site can be used to inject cookies onto the
other. Plugins, password managers, users, geolocation whitelists and the
like may fail to recognise the distinction between the two sites, and
there are probably several critical flaws that I've failed to notice.
James
On 12/20/2012 10:50 AM, Ahamed Nafeez wrote:
Hi all,
I was just wondering how could we isolate different web applications
under the same domain name. Say my domain name is 'site.com
http://site.com' and I have my main web application running under
"site.com/default/ http://site.com/default/" . And let's say that I
have an use case where I need to run a blog, so I might have another
web application like say 'WordPress' running under ''site.com/blog
http://site.com/blog".
Now how can I isolate these two with respect to client side security.
I'm already aware that according to the same-origin policy I can have
my blog running under a different sub-domain like, blog.site.com
http://blog.site.com.
But, let's assume that I don't get a chance to do that (isoalting
based on different domain / sub-domains).
One possible way is to set cookies with respect to path, but that can
be eventually bypassed with an XSS in the vulnerable application by
injecting the desired iFrame and reading from that.
Is there a better way to isolate web applications under the same domain ?
--
Cheers,
Nafeez
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org