Security implications of providing users subdomains on my domain?

Question

I want to provide users with sub domains on my website.

Users will provide an ip address and the sub domain they want and I will then use a DNS service to redirect to that IP through an A record or CNAME record.

Apart from the obvious risk that the user performs something nefarious with the sub domain (eg. hosting illegal material etc), is there any risk that the individual could use this to hijack the root domain?

The root domain is just static HTML, if this changes anything. Thanks!

Answer 1

Yes, they could poison cookies on your domain to execute say a Session Fixation attack.

e.g.

1. The attacker visits your main website www.example.com and gets a session ID.
2. The attacker adds some JavaScript to their page at attacker.example.com to set the session cookie at .example.com to be the same as the session ID.
3. They entice their victim to visit attacker.example.com by sending them a link.
4. The victim visits the site and has the session cookie set at .example.com level.
5. The victim later visits www.example.com and logs in. Because there is a session cookie set at .example.com level, www.example.com uses this cookie for the session ID.
6. As the attacker is sharing that session, she is also logged in.

Whether this is possible on your domain or not depends on functionality. If not this exact attack, others may be possible. Session fixation can be mitigated by refreshing the session ID on login and logout.

Answer 2

There are several browser-side mechanisms, that work domain-wide and thus can be affected by this idea, at least:

• Firefox NoScript plugin - permissions to run individual scripts are domain-wide, so enabling scripts for one user will result in enabling scripts for all users
• cookie visibility
• Flash access permissions
• Java access permissions
• JavaScript access permissions

It's a better idea to use 2 domains, eg.:

• your-domain.com - for company site and trusted services
• *.your-domain.net - for untrusted users