Foreground Security Senior Researcher Uncovers Major Web Application Vulnerability

Browser Cookie Handling Widens Web Attack Space

ORLANDO, Florida, November 6, 2009 – Foreground Security™, the leader in information security services, solutions and training, recently announced that one of  its Senior Security Researchers, Mike Bailey, has discovered and written a whitepaper on a vulnerability that most corporations didn’t think could happen; that one of their website sub-domains can be used to attack their main production domain.

“Most webmasters operate under a false assumption that because of the hierarchical and segments structure of DNS an exploit on a subdomain (for instance, mail.google.com) cannot impact the principal domain (google.com)”, Bailey said.  He added “The way browsers handle cookies makes this possible because cookies are designed so that sub-domains can set and customize them for the main domain”

CISO and Managing Partner, Mike Murray added, "It's not just 'check the vulnerabilities on the important stuff,'" Murray said. "It's 'check the vulnerabilities on every public facing server.' This vulnerability significantly lowers the ante for the attacker. In the old days, we believed that if the main site was secure, everything was fine. Now the attacker can go through the side doors."

A permanent fix for this vulnerability requires fundamental changes in the way cookies operate by every major browser provider. This change is unlikely to be affected quickly but organizations shouldn't wait to react. Every organization should consult web application security experts to review their security posture in light of this new information.

The Foreground Security Research Team is active in the information security research community, aggressively pursuing both new vulnerability research and mitigation of all types of threats. Leveraging its’ expert understanding of today’s web applications, threats and how exploitation works, the team is a consistent contributor in the industry.

About Foreground Security