W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: Potential security risk of XHR in distributed authoring

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 14 Apr 2006 20:29:07 +0000 (UTC)
To: Julian Reschke <julian.reschke@gmx.de>
Cc: public-webapi@w3.org
Message-ID: <Pine.LNX.4.62.0604142020080.21459@dhalsim.dreamhost.com>

On Fri, 14 Apr 2006, Julian Reschke wrote:
> 
> Summary (from [2]):
> 
> > The XmlHttpRequest object (implemented now in all current browsers) 
> > allows issueing arbitrary HTTP (and WebDAV) requests under the 
> > credentials of the authenticated user, in particular the DELETE 
> > method.
> > 
> > If user A prepares an HTML page containing code that will issue a 
> > DELETE request against one of user B's resources, and tricks him/her 
> > into navigating to that page, the browser will issue the DELETE 
> > request with B's credentials (no confirmation required).

This is just your typical XSS attack.

   http://en.wikipedia.org/wiki/Cross_Site_Scripting

The solution is to not allow scripts uploaded by one user to be displayed 
to another user, or to only allow them to be displayed on a site that is 
unrelated to where you are doing your authenticated edits.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 14 April 2006 20:29:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT