

Careful when hosting 3rd party apps on subdomains, or how I hacked Facebook - gdeglin
http://gdeglin.blogspot.com/2010/09/dont-host-3rd-party-applications-on.html

======
gdeglin
This is my first blog post about web security, and hopefully the first of
many. I'd love to hear feedback and I'm happy to answer questions. One of the
concerns I had with this post was that it is highly technical, but I feel the
issue is extremely important since so many sites are vulnerable to these kinds
of issues.

~~~
gleb
It would be helpful to elaborate on:

    
    
      * what document.domain is
      * what hijacking user's session actually implies

~~~
X-Istence
I know what hijacking a user's session is, what is document.domain though?

~~~
gdeglin
This is a good overview: <https://developer.mozilla.org/en/document.domain>

------
rakkhi
Thought it was well written. Would like to see a bit more focus on risk i.e.
liklihood and impact explored a bit more.

On specific vulnerabilities like this I like the CVE format: e.g.
<http://www.securityfocus.com/bid/38615/info>

information / background, exploit, solution, then some discussion on risk

------
phoboslab
Digg actually had a similar problem a few years ago with pbwiki running on a
subdomain:

<http://www.phoboslab.org/log/2008/06/how-i-hacked-digg>

------
a1g
nice

------
logstar
Great post!

------
heffay
Great post, keep them coming

