Re: Potential security risk of XHR in distributed authoring

On Fri, 14 Apr 2006, Julian Reschke wrote:
> 
> Summary (from [2]):
> 
> > The XmlHttpRequest object (implemented now in all current browsers) 
> > allows issueing arbitrary HTTP (and WebDAV) requests under the 
> > credentials of the authenticated user, in particular the DELETE 
> > method.
> > 
> > If user A prepares an HTML page containing code that will issue a 
> > DELETE request against one of user B's resources, and tricks him/her 
> > into navigating to that page, the browser will issue the DELETE 
> > request with B's credentials (no confirmation required).

This is just your typical XSS attack.

   http://en.wikipedia.org/wiki/Cross_Site_Scripting

The solution is to not allow scripts uploaded by one user to be displayed 
to another user, or to only allow them to be displayed on a site that is 
unrelated to where you are doing your authenticated edits.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 14 April 2006 20:29:18 UTC