I’m in the process of building an application (a CMS to be more specific) which allows users to add Javascript to their content. There really is no way around allowing Javascript, and because of it, some security concerns are now becoming quite apparent. What we’re mainly concerned about is cookie theft.
To explain the system a bit more, the CMS allows a single user to have access to multiple sites. A user can invite another user to edit their site. Someone accessing a site will then execute any JS that has been added.
Here’s a scenario we’re trying to get around:
- Malicious user “Evil Bob” writes Javascript to read cookies and email them to him.
- Evil Bob invites me to edit their site
- I view site and my cookies are sent off to the Evil Bob.
- Evil Bob now has access to my cookies, and can edit any sites I have access to.
We have added some cookie theft protection, which makes it a bit harder to spoof cookies. If order to use a stolen cookie, you would also have to spoof all headers to match those of the victim.
We’ve had some ideas for fixes, like putting each site on an individual sub-domain, and requiring separate login for each account. Maybe this is the best solution.
Any other recommendations?
Thanks for the answers!
We ended up going putting each account on unqiue sub-domains, so even if a cookie was stolen, it would only affect a single site, as opposed to all those that you own. This means a malicious user can only gain access to what they already have.