#subdomains — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #subdomains, aggregated by home.social.
-
@ScottHelme wrote: "The change I referred to prevents arbitrary sibling/parent-domain abuse […]"
I'm not sure if you're referring to the possible match on
"evil-example.com" (see screenshot) in the old code, but if I remember correctly (from my analysis approx. 3 years ago), the client will only accept an exact match of "example.com" or
"<whatever_including_dots>.example.com".So albeit ugly, the old server code should not pose a risk I guess?
W.r.t. unexpected abuse of valid subdomains (*): my worry is that people will use your code for their site without modification, never considering the risk I described.
(*) Or malicious JS (3rd party or XSS) on the main domain - while WebAuthn handling was supposed to take place only on e.g. "login.example.com" (using a dedicated subdomain may be a good idea like Dirk Balfanz wrote).
Since your site appears to be using passkeys as an additional factor, the users of your site may not be at risk. However, the idea of passkeys was to "go passwordless", something that other users of your code will probably embrace.
I haven't scanned all of your code, but if not present, my advice is to at least add a warning for unexpected WebAuthn processing on a subdomain (or even the main domain).
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
@ScottHelme from https://scotthelme.co.uk/open-sourcing-passkeys-php-a-security-focused-webauthn-library-for-php/:
"It now requires an exact match or a true subdomain."
That is probably insufficient. Please read https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 by Dirk Balfanz (Google, screenshot of part of the entry below).
Google doesn't want potentially malicious (e.g. https://sites.google.com) or "forgotten" subdomains (https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Subdomain_takeover) to be able to handle passkeys.
As shown in Google's example, it's best to explicitly whitelist ALL subdomains thay may interact with passkeys to prevent (future) oversight.
PS this is exactly what I meant with "and in specific cases using subdomains and faulty server webauthn implementations" in https://todon.nl/@ErikvanStraten/116595157772945666.
Edited to add: many commercial websites use subdomains where third parties have access to (such as track.example.com), for example used in mass mailings. You don't want a gone rogue third party to be able to handle WebAuthn registrations and logins on your subdomain used by them.
According to the RELATIONS tab in https://www.virustotal.com/gui/domain/report-uri.com your domain has (at least) 3.2K subdomains. Do you trust each of them?
#Passkeys #SubDomainTakeOver #Subdomains #SubDomainHijacking
-
Ah yes, the classic tale of a college freshman who thinks they've discovered the Holy Grail of tech hacks: #subdomains on a campus network. 🤦♂️ Of course, turning this "revelation" into a grand scheme to control every projector and camera on campus is just one #DNS record short of a Hollywood blockbuster. 🎬💻
https://www.edna.land/blogs/posts/scanning/ #techhacks #collegefreshman #cybersecurity #campuslife #HackerNews #ngated -
I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.
-
I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.
-
I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.
-
I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.
-
I just saw the dumbest thing ever. A company has it.com. They are selling subdomains on it.com as if it's worth anything. WTAF? Come on people. With the amount of gTLDs exploding, wtf would I want a subdomain at it.com? Seriously? I don't get the play. Ugh, people will try anything, won't they.
-
So many web apps I have installed. 😄
#SelfHosting #YunoHost #Docker #WebApps #ITStudent #DigitalAutonomy #TechStack #Subdomains #Linux #OpenSource #KalvinBase #Nulu #Memos #OpenGist #Invidious #Redlib #Zusam #TechLife #SystemAdmin #IT
-
So many web apps I have installed. 😄
#SelfHosting #YunoHost #Docker #WebApps #ITStudent #DigitalAutonomy #TechStack #Subdomains #Linux #OpenSource #KalvinBase #Nulu #Memos #OpenGist #Invidious #Redlib #Zusam #TechLife #SystemAdmin #IT
-
So many web apps I have installed. 😄
#SelfHosting #YunoHost #Docker #WebApps #ITStudent #DigitalAutonomy #TechStack #Subdomains #Linux #OpenSource #KalvinBase #Nulu #Memos #OpenGist #Invidious #Redlib #Zusam #TechLife #SystemAdmin #IT
-
How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?
-
How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?
-
How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?
-
How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?
-
How is it possible for someone to implement a redirect on a subdomain of my domain, e.g. subdomain.bl.ag? And what do I need to do to reclaim it?
-
Subdomain enumeration is an essential OSINT technique. Amass and Subfinder are well-known enumeration tools, but they have limitations. Explore this comprehensive database with over 200 sources.
https://osintteam.com/passive-subdomain-enumeration-uncovering-more-subdomains-than-subfinder-amass/
-
Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before? -
Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before? -
Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before? -
Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before? -
Is there a #Linux cli tool that can watch a #DNS zone for change and alert me of the differences? So all #subdomains and the root #domain, all DNS entries (A, AAAA, NS, TXT, CAA, CNAME) are watched every time interval and an helpful output is generated when there is a difference to a state before? -
@[email protected]
I originally named my #server with the intention of setting up sub #domains for other #social sites.
Right now I only have #subdomains for #VPS instances with #databases and other side projects. -
Top French Football Leagues Win Pirate IPTV Blocking Orders
https://torrentfreak.com/top-french-football-leagues-win-pirate-iptv-blocking-orders-240813/
#SiteBlocking #siteblocking #Anti-Piracy #subdomains #France #ligue1 #ligue2 #iptv #DNS
-
Top French Football Leagues Win Pirate IPTV Blocking Orders
https://torrentfreak.com/top-french-football-leagues-win-pirate-iptv-blocking-orders-240813/
#SiteBlocking #siteblocking #Anti-Piracy #subdomains #France #ligue1 #ligue2 #iptv #DNS
-
Top French Football Leagues Win Pirate IPTV Blocking Orders
https://torrentfreak.com/top-french-football-leagues-win-pirate-iptv-blocking-orders-240813/
#SiteBlocking #siteblocking #Anti-Piracy #subdomains #France #ligue1 #ligue2 #iptv #DNS
-
Top French Football Leagues Win Pirate IPTV Blocking Orders
https://torrentfreak.com/top-french-football-leagues-win-pirate-iptv-blocking-orders-240813/
#SiteBlocking #siteblocking #Anti-Piracy #subdomains #France #ligue1 #ligue2 #iptv #DNS
-
Top French Football Leagues Win Pirate IPTV Blocking Orders
https://torrentfreak.com/top-french-football-leagues-win-pirate-iptv-blocking-orders-240813/
#SiteBlocking #siteblocking #Anti-Piracy #subdomains #France #ligue1 #ligue2 #iptv #DNS
-
Hunting #subdomains on a subdomain… 40k #permuations excessive? Maybe.. but I’ll take the 6x increase 📈
-
Hunting #subdomains on a subdomain… 40k #permuations excessive? Maybe.. but I’ll take the 6x increase 📈
-
Hunting #subdomains on a subdomain… 40k #permuations excessive? Maybe.. but I’ll take the 6x increase 📈
-
Hunting #subdomains on a subdomain… 40k #permuations excessive? Maybe.. but I’ll take the 6x increase 📈
-
Hunting #subdomains on a subdomain… 40k #permuations excessive? Maybe.. but I’ll take the 6x increase 📈
#bugbountytips #hackerone -
📬 Spaniens Behörde S2CPI kämpft mit Subdomains
#Internet #Netzpolitik #PiracyShield #Richtervorbehalt #S2CPI #Spanien #Subdomains #Websperren https://sc.tarnkappe.info/0cd793 -
📬 Spaniens Behörde S2CPI kämpft mit Subdomains
#Internet #Netzpolitik #PiracyShield #Richtervorbehalt #S2CPI #Spanien #Subdomains #Websperren https://sc.tarnkappe.info/0cd793 -
📬 Spaniens Behörde S2CPI kämpft mit Subdomains
#Internet #Netzpolitik #PiracyShield #Richtervorbehalt #S2CPI #Spanien #Subdomains #Websperren https://sc.tarnkappe.info/0cd793 -
📬 Spaniens Behörde S2CPI kämpft mit Subdomains
#Internet #Netzpolitik #PiracyShield #Richtervorbehalt #S2CPI #Spanien #Subdomains #Websperren https://sc.tarnkappe.info/0cd793 -
📬 Spaniens Behörde S2CPI kämpft mit Subdomains
#Internet #Netzpolitik #PiracyShield #Richtervorbehalt #S2CPI #Spanien #Subdomains #Websperren https://sc.tarnkappe.info/0cd793 -
Spain’s Ongoing Pirate Site-Blocking War Targets Thousands of Subdomains
#administrativeblocking #siteblocking #subdomains #Piracy #Spain
-
Spain’s Ongoing Pirate Site-Blocking War Targets Thousands of Subdomains
#administrativeblocking #siteblocking #subdomains #Piracy #Spain
-
Spain’s Ongoing Pirate Site-Blocking War Targets Thousands of Subdomains
#administrativeblocking #siteblocking #subdomains #Piracy #Spain
-
Spain’s Ongoing Pirate Site-Blocking War Targets Thousands of Subdomains
#administrativeblocking #siteblocking #subdomains #Piracy #Spain
-
Spain’s Ongoing Pirate Site-Blocking War Targets Thousands of Subdomains
#administrativeblocking #siteblocking #subdomains #Piracy #Spain
-
Cloudflare Email Routing subdomain support, new APIs and security protocols:
-
Cloudflare Email Routing subdomain support, new APIs and security protocols:
-
I cannot connect to one of my #subdomains. I have added the #CNAME pointing to my parent #domain. But the subdomain gives an error when I #ping it.
Error:ping: subdomain.domain.tld: Name or service not known
What am I missing? I have never had this before. -
I cannot connect to one of my #subdomains. I have added the #CNAME pointing to my parent #domain. But the subdomain gives an error when I #ping it.
Error:ping: subdomain.domain.tld: Name or service not known
What am I missing? I have never had this before.