W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 7 Jun 2009 15:54:21 -0700
Message-ID: <7789133a0906071554ob3da20dh7eaa7996b04ef9a6@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: public-webapps <public-webapps@w3.org>
On Sun, Jun 7, 2009 at 3:46 PM, Mark S. Miller <erights@google.com> wrote:
> [- all but Adam and pubic-webapps]
>
> On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth <w3c@adambarth.com> wrote:
>>
>> On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote:
>> > If servers at A don't freely hand out such tokens in response to
>> > guessable GET
>> > requests, then the secret token prevents XSS-at-A-attacker's XSRF
>> > against B
>> > from abusing the authority that B associates with A.
>>
>> I don't see what GET has to do with it.  In any case, the XSS attacker
>> can always enter the site at the home page (e.g., http://example.com/)
>> and follow whatever obscure links exist until it reaches the page that
>> contains the token.[...]
>
> If the starting point "http://example.com/" is guessable, then the XSS
> attacker thereby succeeds at obtaining the token only if the server at
> example.com hands out the token in response to a guessable sequence of GET
> requests.

GET really doesn't have anything to do with it.  The attacker can
issue POST requests (and really any other method) too.  Note that the
attacker can read the response and follow any links, etc.

> If the starting point is not guessable, then I don't understand your
> example.

Virtually all sites have a well-known starting point, aka the home page.

http://digg.com/
http://trac.webkit.org/
http://slashdot.org/
http://www.cnn.com/

etc.  Not to pick on news sites...  I just grabbed a few from my
most-visited page.  :)

Adam
Received on Sunday, 7 June 2009 22:55:13 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT