W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 04 Nov 2009 21:36:47 -0800
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-id: <C8C9E8AC-F3C3-40D9-9273-2A02454A37A3@apple.com>
To: Tyler Close <tyler.close@gmail.com>

On Nov 3, 2009, at 5:33 PM, Tyler Close wrote:

> I was just catching up on email and thought it might be useful to
> respond to this one even though it's a couple weeks old now, since in
> general the group seems to want more examples.

Thanks for the reply.

>
> On Mon, Oct 12, 2009 at 7:19 AM, Maciej Stachowiak <mjs@apple.com>  
> wrote:
>> As a side note, I should add that Tyler's scenario would be much  
>> simpler
>> overall if printer.example.net used a grant of read access to the  
>> photo it
>> wants to print on storage.example.org, instead of granting write  
>> access to a
>> new location.
>
> In this scenario, photo.example.com has the opportunity to take the
> role of attacker in a CSRF-like attack. In the legitimate case,
> photo.example.com is expected to send a URL to printer.example.net
> which identifies the photo to be printed, such as
> <http://storage.example.org/photo123>. In the attack case,
> photo.example.com could send the URL that identifies the
> printer.example.net client list, such as
> <http://storage.example.org/clients123>. Consequently,
> photo.example.com receives a print out of the printer.example.net
> client list, instead of a photo printout.

What's the attack here? Is it information disclosure or vandalism? If  
the user should not have access to the printer.exmple.com client list,  
then printer.example.com should not be able to access that resource  
with the user's cookie. So I don't think there is a risk of  
information disclosure. There is the possibility of vandalism - that  
the photo site wastes the user's money by making them print something  
other than the photo they wanted. But it could do this simply by  
providing the URL to a resource that it does have access to, but which  
contains something undesirable (goatse for example). So I think there  
isn't a real vulnerability here.

That being said, my understanding of this threat was greatly improved  
by the discussion at TPAC. I now think the best way to address multi- 
site collaboration is by applying the DBAD discipline. Here's how I  
would do it in this case:

The storage service is designed to allow collaborative access by  
multiple sites, therefore it needs to let them distinguish their own  
requests from third-party requests. One way to do so is to partition  
resources such that each is owned by exactly one storage domain. The  
only way to share information cross-domain is to copy. Resource names  
include the domain that owns them. Then it offers the following  
command set (angle brackets are used to delimit metasyntactic  
variables):

(This may be more complicated than needed, for the sake of clarity):

Read <from>
    If the <from> resource is owned by the domain specified by Origin,  
return the data.

Write <to>\n
<filedata>
    If the <from> resource is owned by the domain specified by Origin,  
store <filedata> at the resource.

SameDomainCopy <from> <to>
    <from> and <to> must be in the same domain and must match Origin.

GetReadToken <resource>
    If the Origin header matches <resource>, return a one-time read  
token which can be used to copy a resource cross-domain

GetWriteToken <resource>
    If the Origin header matches <resource>, return a one-time read  
token which can be used to copy a resource cross-domain

CrossDomainCopy <from-domain> <from-resource> <read-token> <to-domain>  
<to-resource> <write-token>
     <read-token> must be a valid read token for <from-resource>, and  
<from-resource> must be owned by <from-domain>. <write-token> must be  
a valid write token for <to-resource>, and <to-resource> must be owned  
by <to-domain>. Origin must match at least one of <from-domain> or <to- 
domain>.

This allows two sites to agree to copy a resource from one to the  
other on storage.exmple.org without introducing a confused deputy  
hazard.

In the original scenario, photo.example.com would get a resource name  
and a write token from printer.example.net, would obtain its own read  
token for the resource to copy using GetReadToken, and then issue a  
copy request with both domains and both tokens using CrossDomainCopy.  
It's impossible for printer.example,net to make photo.example.com  
accidentally overwrite its own resources in this case, because the  
request on behalf of a third party is distinct from any request it  
would make on its own behalf. You could argue that neither Origin nor  
Cookie in the cross-domain network resources are necessary to make  
this work, but I think in this case they can make the system easier to  
build and more robust.

>
>> Or it can just ask photo.example.com to read the photo from
>> storage.example.org and send the actual data. Either of these much  
>> less
>> abusable than writing, and would be a safer approach, whether or  
>> not the
>> overall design depends on secret tokens. The grant of read access  
>> can be
>> one-time or time-limited if necessary. Thus, I think the scenario is
>> somewhat contrived. Likely cross-site interactions would not  
>> involve such a
>> complex process to transfer data. The root of the vulnerability in  
>> Tyler's
>> scenario is writing in a shared namespace to transfer data, instead  
>> of
>> simply granting read access to the existing copy, or transferring  
>> the actual
>> data bits.
>
> The semantics of the request, read versus write, are not relevant to
> the attack. As Maciej explained in the TPAC meeting today, the actual
> problem occurs when a request is composed using data received from 2
> or more sites. As an historical note, it's interesting to observe the
> initial misstep here and so conjecture that web developers may also
> misunderstand the dangers and so use CORS-with-Origin in an insecure
> way.
>
> A request composed from data received from 2 or more sites should be a
> common pattern in any *cross-origin* application. It's the nature of
> the problem space. There's no need for examples to be complicated to
> demonstrate the problem. If people find Maciej's example simpler, it
> demonstrates the vulnerability just as well.

I don't really agree that composing a request from data received from  
2 or more sites is likely to be common. Sites are doing cross-domain  
collaboration now, using techniques like OAuth, JSONP, or asking the  
user for their password for another site. To my knowledge, the sites  
doing this are general having a pure bilateral interaction that is  
well modeled by the example in my CORS background slide.

Regards,
Maciej
Received on Thursday, 5 November 2009 05:37:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT