A security researcher has uncovered a serious exploit that could endanger popular Websites.
The attack was uncovered by Michael Bailey, a senior security researcher at Foreground Security, and unveiled Oct. 24 at the ToorCon conference in San Diego. According to Bailey, due to the way Web browsers handle cookies, it is possible for a vulnerability on a Website subdomain to be leveraged against a parent domain.
“A weakness in a server with a subdomain pointed at it can be used to both leak cookies and set cookies for the main domain,” Bailey wrote in a paper (PDF) on the issue. “This can in turn be used to perform multistage session fixation and cross-site scripting attacks.
“For example, www.advertising.expedia.com contained an XSS hole,” he wrote. “Using that hole, one could poison the global cookies for the expedia.com domain. The main Expedia Website (www.expedia.com) would use those cookies in the body of the Web page, without proper escaping, and permit an attacker to inject malicious JavaScript into that application. This would allow the attacker to fully compromise the user’s session on the Website, and the payload would persist until the user cleared his cookies or the server overwrote them, which may take months.”
Part of the attack’s success lies in the fact that for many businesses, there is a perception that applications on subdomains are isolated from the rest of the Website, Bailey told eWEEK.
“According to the structure of DNS [Domain Name System] this should be true, but Web browsers, and specifically their implementations of cookies, create implicit trust relationships that are ripe for abuse,” he explained.
Users can mitigate the attack by using the ‘Private Browsing’ features of Internet Explorer, Mozilla Firefox and other browsers, he said. But there are still scenarios where the attack could work despite that capability.
“While it may keep sensitive information from being leaked through cookies, it will not prevent cookies from being poisoned,” Bailey said. “The consequences of this are application-specific, but the end result is the same: Private browsing [modes] cannot be assumed to fully protect the user from these attacks.”
Blocking cookies will also help prevent the attacks, but will disable the functionality that these attacks abuse, he added.
“For example, if a Web browser does not store session data, there will be no sessions to attack, but it also will not be able to use those sessions to maintain state,” he said. “Disabling cookies may be effective, but it is not practical.”
Bailey did however outline some solutions in his paper. Any vulnerability on an untrusted subdomain can affect a trusted domain, so administrators should pay careful attention. All applications should be reviewed for common vulnerabilities such as cross-site scripting and cross-site request forgery, and administrators should be wary of third-party servers and applications. The researchers also recommend that high-value DNS records be audited to locate unused servers and IP addresses.
“Security people often make the comment that you are only as secure as the weakest link in the chain, and that is now literally true,” Mike Murray, chief information security officer of Foreground, told eWEEK. “Your weakest-security subdomain Website can compromise your highest-security one.”