1

I'm writing an application (example.com) that gives users their own sub-domains to run arbitrary user applications off of (user.example.com).

Each user application will be run on separate servers with distinct domains, and my application will route user.example.com to users-app.com.

Are my users able to compromise each other? What about the parent domain example.com?

sahil
  • 111
  • 1
  • 4
    The browser doesn't know or care whether they are on separate servers. Read on the rules for same origin policy and about cookies on Mozilla developer network site. – Z.T. Jun 23 '19 at 12:21
  • 1
    Note that the CMS/admin interface that edits the sites should be on a separate domain than the edited sites. Like blogger.com edits blogspot.com sites. – Z.T. Jun 23 '19 at 18:56
  • @Z.T. Thanks! I looked at the same-origin policy and was wondering if there are still problems if `example.com` is not in use? According to [this](https://security.stackexchange.com/a/23298), sub-domains are treated as different origins. If `example.com` is not in use, and users scope their domains to `user.example.com`, what other security concerns should I be war of? – sahil Jun 24 '19 at 00:24
  • If example.com is unused, that would work, I think. But on which domain would you have the application that gives users their own sub-domains, if not on example.com? Personally I would place the admin/CMS on a separate domain. – Z.T. Jun 24 '19 at 00:32
  • "_my application will route user.example.com to users-app.com._" what do you mean? – curiousguy Nov 21 '19 at 15:50

2 Answers2

2

Quick answer: Probably yes

Domain and sub-domain names are just pointers to where your application resides, or at least, where it can be reached if you've put additional proxies in place.

So the real question is what stops anyone compromising any of your users at the application level?

There are plenty of exploits and developer errors to get around what browsers should enforce when communication with hosts, and attackers can always go after your servers directly.

So yes, if you screw up your application design or implementation badly enough, using sub-domains isn't going to magically save you. I would also suspect dedicated servers per customer isn't going to scale too well either, but that's a different issue.

Samuel Philipp
  • 640
  • 6
  • 18
Richard N
  • 141
  • 3
0

It highly depends on the type of issue that exists, if the domains are hosted on different servers, then they will not be subjected to security misconfigurations implemented on separate servers.

However other vulnerabilities such as SQLi or XSS may still be an issue if they are querying the same backend components for resources.

Apart from the vulnerability itself, the relationship between the 2 domains will also have an effect on determining if the issue can be extended to a separate system that hosts a sub domain.

Due to the various factors that effect this particular scenario, it is very difficult to generalize it without actually seeing an implementation of the sub domains on separate servers.

schroeder
  • 123,438
  • 55
  • 284
  • 319
akshayknows
  • 21
  • 2