XHR security risks

Hi,

I'd like to pick up the discussion I started several weeks ago (see 
<http://lists.w3.org/Archives/Public/public-webapi/2006Apr/0305.html> 
and copy below)...

In the meantime I've discussed the issue with Roy F., and we also talked 
about it over on Mark Nottingham's blog (see 
<http://www.mnot.net/blog/2006/04/20/form.submit>). I'm still convinced 
that a user agent that allows an HTML page to submit an unsafe method 
(such as POST, DELETE or PUT) without explicit user interaction is 
buggy. This applies both to form.submit and XHR.

Best regards, Julian




-- quote --
while discussing RFC2518bis, the IETF WebDAV WG got feedback ([1])
pointing out a potential attack scenario that hasn't been discussed
before a lot, and mainly depends on three factors:

- HTTP methods such as PUT or DELETE that may overwrite/delete existing
content

- collaborative authoring of web resources by different users on the
same site (so this is *not* about cross site attacks)

- presence of scriptable HTTP components in browsers (XHR).

Summary (from [2]):

 > The XmlHttpRequest object (implemented now in all current browsers) 
allows
 > issueing arbitrary HTTP (and WebDAV) requests under the credentials 
of the
 > authenticated user, in particular the DELETE method.
 >
 > If user A prepares an HTML page containing code that will issue a 
DELETE request
 > against one of user B's resources, and tricks him/her into navigating 
to that
 > page, the browser will issue the DELETE request with B's credentials (no
 > confirmation required).

At this point the WebDAV working group really doesn't know what to do
with this, except for potentially adding it to the Security
Considerations in RFC2518bis.

On the other hand, this isn't really specific to WebDAV (being based on
HTTP PUT/DELETE and XHR-like functionality), so maybe somebody over here
has some idea how to deal with it.

Best regards, Julian


[1] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2006JanMar/0701.html>

[2] <http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=237>

Received on Friday, 14 April 2006 11:00:06 GMT
--

Received on Thursday, 8 June 2006 12:57:01 UTC