Subdomain takeover: ignore this vulnerability at your peril

from blog Posts on jub0bs.com, | ↗ original
My third guest post on Honeybadger’s blog, entitled Subdomain Takeover: Ignore This Vulnerability at Your Peril has just been published!
This is a short summary. ↗ Open original to view full content

Related

IP fragmentation is fundamentally broken
Marek's idea of the day | original ↗
The Federation Deathmatch
Deciphering Glyph | original ↗
News from June 2000
Home on consequently.org | original ↗
Tracking-free audience statistics
Bert Hubert's writings | original ↗
A Quick Site Maintenance Note
Brain Baking | original ↗
Beware of Godaddy Premium Renewal Fees on Non-premium Domains!
The Blog of Michael Taboada | original ↗
This Holiday Season, Drive Home in a Brand New Server Updates
Ersei 'n Stuff | original ↗
SSDP attack crossing 100Gbps
Marek's idea of the day | original ↗
For Sale: Used Domain (**Clean Title**)
Jim Nielsen’s Blog | original ↗

More from Posts on jub0bs.com

Reconfigurable CORS middleware with jub0bs/cors
14 May 2024 | original ↗

TL;DR ¶ In this short follow-up to my previous post, I describe why and how I’ve added support for dynamic reconfiguration of CORS middleware in jub0bs/cors. Rethinking configuration immutability ¶ Up until now, I’ve been arguing that CORS middleware should not be reconfigurable on the fly and that any change to their configuration should require...

A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF...
5 May 2023 | original ↗

TL;DR ¶ A few months ago, while hunting on a public bug-bounty programme, I found a nice little bug chain that involved an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, a permissive CORS configuration, all to achieve CSRF against an in-scope asset. Read on for a deep dive about...

Existence oracle for Secure cookies on insecure Web origins
12 Sept 2022 | original ↗

TL;DR ¶ In this post, I present an XSLeak technique that allows an active network attacker to observe, from an insecure Web origin, the presence or absence of some Secure cookie that may have been set by the origin’s secure counterpart. Cookies’ crumbly beginnings ¶ Netscape (Lou Montulli, more precisely) invented cookies in 1994 in order to...

Scraping the bottom of the CORS barrel (part 1)
4 Aug 2022 | original ↗

James Kettle’s 2016 research was instrumental in raising awareness of the deleterious effects of CORS (Cross-Origin Resource Sharing) misconfiguration on Web security. Does the story end there, though? Is writing about CORS-related security issues in 2022 futile? I don’t think so. This post is the first in a series in which I will discuss more...

The great SameSite confusion
29 Jan 2021 | original ↗

In this post, I dissect a common misconception about the SameSite cookie attribute and I explore its potential impact on Web security. TL;DR ¶ The SameSite cookie attribute is not well understood. Conflating site and origin is a common but harmful mistake. The concept of site is more difficult to apprehend than meets the eye. Some requests are...