Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

翻译：在本文中,我们首次界定和量化了相关领域攻击者对网络应用安全构成的威胁。特别是,我们首先澄清了相关领域攻击者通过不同攻击矢量获得的能力,表明相关领域攻击者概念的不同实例值得注意。然后我们研究如何利用这些能力损害网络应用安全,注重不同角度,包括饼干、CSP、COSC、COSC、Message和域内放松。我们在此框架内,报告在Tranco 名单上50公里最高域进行大规模安全测量,发现887个地点存在脆弱性,我们在那里量化了相关领域攻击者对流行网络应用的威胁。