Can different subdomains of the same app prevent malicious attack like XSS?

前端 未结 1 1708
挽巷
挽巷 2021-01-22 22:59

In my Rails app i have 2 subdomains,

one : members.myapp.com which is the area shared between all members (where they can login and ma

相关标签:
1条回答
  • 2021-01-22 23:16

    They would be able to set cookies that can be read by members.myapp.com - so if they are any coookie handling vulnerabilities on members.myapp.com then they could possibly exploit these. An example of cookie poisoning could be session fixation.

    XSS would not be possible unless both domains opted in. i.e. they would both have to contain the following code.

    document.domain = 'myapp.com';
    

    Unless members.myapp.com is doing this, the Origin will not be shared between subdomains.

    Example of a cookie handling vulnerability

    As mentioned, one type is Session Fixation.

    Now, say the attacker visits members.myapp.com and is given a random session cookie: set-cookie: session_id=123456.

    The attacker then sends an email to an administrator saying there is a problem on his domain user1.myapp.com.

    The attacker has some JavaScript code hosted on user1.myapp.com:

    document.cookie = "session_id=123456;domain=myapp.com";
    

    The victim (an administrator of myapp.com) goes to the attacker's page and receives the cookie.

    The admin later goes to members.myapp.com and the logs into their administrator level account. However, as the attacker has give the attacker their session ID (123456) in a cookie that can be read by members.myapp.com (as it was set at myapp.com level) the attacker is now logged in as the administrator. i.e. the attacker has managed to make the administrator share his session so when the administrator logs in, the attacker sharing his session is also logged in.

    This is just one example of a cookie handling vulnerability. In this case the system should issue a new session cookie after login to prevent the session fixation attack.

    0 讨论(0)
提交回复
热议问题