Skeptikal.org

Tuesday, November 3, 2009

Cross-subdomain Cookie Attacks

I did a talk at Toorcon last weekend on exploiting client-side applications' trust in subdomains. Primarily, it formalized and demonstrated a few attacks on cookies, which implement security policies backwards by placing more trust in a subdomain of a trusted domain, rather than less, as the hierachical nature of DNS would suggest.

Last night, I put together a quick paper summarizing these problems, with interesting proof-of-concept attacks against Google's new CSRF protection feature and Expedia.

I'm still looking into the ways that other client-side technologies (Flash, Java, etc) handle these issues, so expect a version 2.0 in the future. Also, I'm looking forward to some relevant new tools that will be released at AppSec DC next week.

Note: All the attacks outlined in this paper were responsibly disclosed, and the Google and Expedia ones, specifically, have been fixed for several weeks.

Labels: , ,

posted by mckt at 9:32 AM

6 Comments:

  • An interesting approach where the scope of verification may require systems beyond the scope to be examined. I have added this to our own website testing methodology.

    By Anonymous Clerkendweller, At November 30, 2009 2:06 PM  

  • Sorry. But I can't help myself *lol*

    Is the "ASS" certified banner on the right side really needed *lol*.

    I guess this one wins hands down on the worst ever choosen acronym *lol*

    *rofl* *lol*

    By Anonymous Lolling Visitor, At November 30, 2009 2:06 PM  

  • this is great work i plan to do some work playing with it and will defiantly reference you when i write my own article i cant wait to read the whole paper

    By Anonymous Carter, At November 30, 2009 2:06 PM  

Post a Comment



<< Home