5

There's lots of discussion about protecting content on example.com from user controlled content on subdomain.example.com (e.g. Github pages). What are the risks the other way around?

If my content is hosted at subdomain.example.com, what attacks am I exposed to from untrusted content hosted on example.com?

Some things I can think of:

  • Parent domain can write cookies which will be visible on the child
  • Parent domain can read any cookies that have been set for the parent domain, but not those on the subdomain (I think)
  • Parent domain could enable HSTS, to force HTTPS on the subdomain.
  • ...and more?

More specifically, for context: we host user's content on user domain like [user_id].usercontent.com, passing their requests/responses through a proxy we control. We're considering adding authentication for some requests, and hosting our authentication service at auth.[user_id].usercontent.com, so we can set auth cookies that will be visible in requests as they hit the proxy that hosts the user content. How could the user content attack these authentication pages?

Tim Perry
  • 161
  • 5

1 Answers1

0

The requirement of trust in the parent domain is not comparable to the need of parent domains trust in its subdomains.

Non-content-wise, the parent domain controls the delegation of DNS records and thus could essentially define which systems are allocated to your subdomain. Having no trust in the parent domain is therefore not possible. It is comparable, although still different, to the required trust in public suffix and TLD operators.

I would like to give attention to cascading DNS records like DMARC and CAA, which if absent in your subdomain would default to the parent domain's records. This could give out some control or allow some information gathering.

Content-wise, you have covered most issues. I am not sure whether the HSTS header could be solved, although you would want to use HTTPS anyway. Make sure cookies are set with strict SameSite flags and consider the __Host-prefix.

Lastly, the use of a strict Content-Security-Policy header could prevent the (accidental) inclusion of content from the parent domain (and others).

Bottom line: if you really don't trust the parent domain, get your own domain. Otherwise, follow best practices in terms of security settings to minimize the chances of abuse.

Wouter
  • 397
  • 1
  • 12