Simple subdomains handler for CI3 |
(04-04-2016, 08:48 AM)albertleao Wrote:(04-04-2016, 08:26 AM)josepostiga Wrote:(04-04-2016, 08:14 AM)albertleao Wrote: This is very insecure as I can easily spoof my subdomain to an address. Ok, now let's analyse this with te following in mind: - It's a SaaS app, so we have a wild subdomain configuration that's, then, validated on the application for a valid usage license. E.g: customer.app.ext is checked against a database table for a valid license. If not, the application shows an invalid license error. What kind of vulnerabilities could we have with this kind of configuration? An .env file is kind of useless to this logic and I can't see how could you spoof an invalid address that could bypass the license validation? At least not one that couldn't be used for all web addresses. Thanks for your share
Best regards,
José Postiga Senior Backend Developer |
Messages In This Thread |
Simple subdomains handler for CI3 - by josepostiga - 04-04-2016, 06:24 AM
RE: Simple subdomains handler for CI3 - by albertleao - 04-04-2016, 08:14 AM
RE: Simple subdomains handler for CI3 - by josepostiga - 04-04-2016, 08:26 AM
RE: Simple subdomains handler for CI3 - by albertleao - 04-04-2016, 08:48 AM
RE: Simple subdomains handler for CI3 - by josepostiga - 04-04-2016, 09:03 AM
RE: Simple subdomains handler for CI3 - by albertleao - 04-04-2016, 09:59 AM
RE: Simple subdomains handler for CI3 - by albertleao - 04-04-2016, 10:03 AM
RE: Simple subdomains handler for CI3 - by josepostiga - 04-04-2016, 10:08 AM
|