[WEB SECURITY] document.domain / application security perimeter

["application.secure application.secure" <application.secure@xxxxxxxxx>]

------=_Part_5989_7928536.1210664117006
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello,

I 've recently faced up to the document.domain usage in an application that
we review.
Developpers use this javascript command to allow javascript communication
between 2 differents subdomains in the company.
In this case that was not really a security problem.

But in point of view of an attacker this feature could be interesting.
Imagine a big company  with 2 differents applications hosted on 2
subdomains.
application 1 => subdomain1.company.com
application 2 => subdomain2.company.com

The first application is an e-commerce which is critical for application
security (company spends time and money to secure this application).
The second one is developped and managed by marketing service and is less
critical.

The first application is well protected against XSS(complete input
validation) but it contains one issue: somewhere in the application you can
inject and execute document.domain="company.com"

The second one contains a lot of XSS basic issues so you can inject and
execute a lots of XSS commands.

By initializing document.domain=company.com in the second application, all
XSS injected in this application can access the first application.
The attacker has full control of application 1 via application 2.

One small issue in your application extends your security perimeter.

------=_Part_5989_7928536.1210664117006
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<p>Hello,</p>
<p>I &#39;ve recently faced up to the document.domain usage in an application that we review.<br>Developpers use this javascript command to allow javascript communication between 2 differents subdomains in the company.<br>
In this case that was not really a security problem.</p>
<p>But in point of view of an attacker this feature could be interesting. <br>Imagine a big company&nbsp; with 2 differents applications hosted on 2 subdomains.<br>application 1 =&gt; <a href="http://subdomain1.company.com";>subdomain1.company.com</a><br>
application 2 =&gt; <a href="http://subdomain2.company.com";>subdomain2.company.com</a></p>
<p>The first application is an e-commerce which is critical for application security (company spends time and money to secure this application).<br>The second one is developped and managed by marketing service and is less critical.</p>

<p>The first application is well protected against XSS(complete input validation) but it contains one issue: somewhere in the application you can <br>inject and execute document.domain=&quot;<a href="http://company.com";>company.com</a>&quot;</p>

<p>The second one contains a lot of XSS basic issues so you can inject and execute a lots of XSS commands.</p>
<p>By initializing document.domain=<a href="http://company.com";>company.com</a> in the second application, all XSS injected in this application can access the first application.<br>The attacker has full control of application 1 via application 2.</p>

<p>One small issue in your application extends your security perimeter.</p>

------=_Part_5989_7928536.1210664117006--