W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: (XMLHttpRequest 2) Proposal for cross-site extensions to XMLHttpRequest

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 17 Apr 2006 21:44:32 +0000 (UTC)
To: Alex Russell <alex@dojotoolkit.org>
Cc: public-webapi@w3.org
Message-ID: <Pine.LNX.4.62.0604172139290.21459@dhalsim.dreamhost.com>

On Fri, 14 Apr 2006, Alex Russell wrote:
>
> On Tuesday 11 April 2006 1:37 pm, Ian Hickson wrote:
> > On Tue, 11 Apr 2006, Maciej Stachowiak wrote:
> > > So, in itself, that might not be too bad an exploit. You can't get
> > > the Cookie or Authorization header, or document.cookie, so even if
> > > you find such a test script on a live server where users have login
> > > accounts. However, suppose there's a test script that also echoes
> > > back all the headers it sends in the body, some kind of debug mode
> > > maybe. Now you have something exploitable.
> >
> > Your script is getting somewhat complex now -- it needs to take GET
> > query parameters and convert them into HTTP headers and to echo all
> > its headers into the body as well. Does this ever happen? I've
> > written echo scripts myself but I can't think of any that are
> > vulnerable here.
> 
> Perhaps not on their own, but attacks like "response splitting" which 
> tends to affect poorly written proxies could easily induce this 
> scenario.

Granted, but in that case the script is already very vulnerable to all 
kinds of attacks today (e.g. cookie stuffing, XSS) and a cross-site read 
will be the least of its problems.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 17 April 2006 21:44:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT