Can I take Your Subdomain?

Exploring Same-Site Attacks in the Modern Web

Marco Squarcina1, Mauro Tempesta1, Lorenzo Veronese1, Stefano Calzavara2, Matteo Maffei1
1 TU Wien, 2 Università Ca’ Foscari Venezia & OWASP
30th USENIX Security Symposium (USENIX Security ‘21), August 11–13, 2021 (to appear)

Service Wildcard Redirect (www) PSL Capabilities
agilecrm js https
anima js https
campaignmonitor content
cargo js
feedpress html
gemfury file https
github js file https
helpscout js file https
jetbrains content
launchrock js https
ngrok js file headers https
persona js https
pingdom js
readme.io js https
shopify js https
smartjobboard js https
statuspage js https
strikingly js https
surgesh js https
tumblr js file https
uberflip js https
uptimerobot content
uservoice js https
webflow js https
wordpress js https
worksites js https

Notation

  • service is not affected
  • service is vulnerable
  • the conditions of redirect and PSL do not apply
  • could not evaluate, e.g., due to payment required, no public registration form, etc.

Helpscout allows to host only arbitrary active content files (JavaScript, CSS); Gemfury allows to host only arbitrary passive content files (images, media, …); Launchrock implicitly associates every subdomain to the mapped domain, not only the www subdomain.