W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: (XMLHttpRequest 2) Proposal for cross-site extensions to XMLHttpRequest

From: Alex Russell <alex@dojotoolkit.org>
Date: Fri, 14 Apr 2006 19:41:20 -0700
To: public-webapi@w3.org
Message-Id: <200604141941.23356.alex@dojotoolkit.org>
On Tuesday 11 April 2006 1:37 pm, Ian Hickson wrote:
> On Tue, 11 Apr 2006, Maciej Stachowiak wrote:
> > So, in itself, that might not be too bad an exploit. You can't get
> > the Cookie or Authorization header, or document.cookie, so even if
> > you find such a test script on a live server where users have login
> > accounts. However, suppose there's a test script that also echoes
> > back all the headers it sends in the body, some kind of debug mode
> > maybe. Now you have something exploitable.
>
> Your script is getting somewhat complex now -- it needs to take GET
> query parameters and convert them into HTTP headers and to echo all
> its headers into the body as well. Does this ever happen? I've
> written echo scripts myself but I can't think of any that are
> vulnerable here.

Perhaps not on their own, but attacks like "response splitting" which 
tends to affect poorly written proxies could easily induce this 
scenario.

Regards

-- 
Alex Russell
alex@jot.com
alex@dojotoolkit.org BE03 E88D EABB 2116 CC49 8259 CF78 E242 59C3 9723

Received on Monday, 17 April 2006 15:10:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT