W3C home > Mailing lists > Public > public-web-security@w3.org > February 2010

Re: [XHR] XMLHttpRequest specification lacks security considerations

From: Bil Corry <bil@corry.biz>
Date: Wed, 10 Feb 2010 01:37:43 -0800
Message-ID: <4B727E67.6090705@corry.biz>
To: Maciej Stachowiak <mjs@apple.com>
CC: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Thomas Roessler <tlr@w3.org>, W3C WebApps WG <public-webapps@w3.org>, public-web-security@w3.org
Maciej Stachowiak wrote on 2/9/2010 4:13 AM: 
> HTTPbis should address this threat in the security considerations
> section, and should strongly consider making it a MUST-level
> requirement for servers to check that the Host header is a host they
> serve. If HTTP had that requirement and all servers followed it, then
> the risk of DNS rebinding attacks would be eliminated.

Another threat is an attacker crafting a malicious payload in the Host header, hoping that it gets logged then viewed via a web browser.

And some webapps conditionally show debugging information based on the host header, so that the production hostname has a generic error page and the staging hostname produces a full stack trace.  Simply forging the host header allows an attacker to view the full debugging information.

There are probably other threats too, such as a site using the Host header to craft links, etc.


- Bil
Received on Wednesday, 10 February 2010 09:38:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT