W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Potential security risk of XHR in distributed authoring

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 14 Apr 2006 12:57:47 +0200
Message-ID: <443F802B.1020508@gmx.de>
To: public-webapi@w3.org

Hi,

while discussing RFC2518bis, the IETF WebDAV WG got feedback ([1]) 
pointing out a potential attack scenario that hasn't been discussed 
before a lot, and mainly depends on three factors:

- HTTP methods such as PUT or DELETE that may overwrite/delete existing 
content

- collaborative authoring of web resources by different users on the 
same site (so this is *not* about cross site attacks)

- presence of scriptable HTTP components in browsers (XHR).

Summary (from [2]):

> The XmlHttpRequest object (implemented now in all current browsers) allows
> issueing arbitrary HTTP (and WebDAV) requests under the credentials of the
> authenticated user, in particular the DELETE method.
> 
> If user A prepares an HTML page containing code that will issue a DELETE request
> against one of user B's resources, and tricks him/her into navigating to that
> page, the browser will issue the DELETE request with B's credentials (no
> confirmation required).

At this point the WebDAV working group really doesn't know what to do 
with this, except for potentially adding it to the Security 
Considerations in RFC2518bis.

On the other hand, this isn't really specific to WebDAV (being based on 
HTTP PUT/DELETE and XHR-like functionality), so maybe somebody over here 
has some idea how to deal with it.

Best regards, Julian


[1] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2006JanMar/0701.html>

[2] <http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=237>
Received on Friday, 14 April 2006 11:00:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT