[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users

To: Jan Wrobel <wrr@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Thu, 11 Apr 2013 09:32:36 -0700

This is fairly well-known, I think; for example, there's a mention of this
here (search for appspot.com):

http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

I think it's also covered in "The Tangled Web"; it's also why you see
domains such as blogspot.com and appspot.com in PSL:

http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
  - From: Jan Wrobel

References:
- [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
  - From: Jan Wrobel

Prev by Date: [Full-disclosure] Allegro.pl XSS [0-day]
Next by Date: Re: [Full-disclosure] Allegro.pl XSS [0-day]
Previous by thread: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
Next by thread: Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users
Index(es):
- Date
- Thread