W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 5 Nov 2009 17:48:18 -0800
Message-ID: <5691356f0911051748h4d6fc9fct9c013503c895f567@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Hi Maciej,

Responses inline below...

On Wed, Nov 4, 2009 at 9:36 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Nov 3, 2009, at 5:33 PM, Tyler Close wrote:
>> On Mon, Oct 12, 2009 at 7:19 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>>>
>>> As a side note, I should add that Tyler's scenario would be much simpler
>>> overall if printer.example.net used a grant of read access to the photo
>>> it
>>> wants to print on storage.example.org, instead of granting write access
>>> to a
>>> new location.
>>
>> In this scenario, photo.example.com has the opportunity to take the
>> role of attacker in a CSRF-like attack. In the legitimate case,
>> photo.example.com is expected to send a URL to printer.example.net
>> which identifies the photo to be printed, such as
>> <http://storage.example.org/photo123>. In the attack case,
>> photo.example.com could send the URL that identifies the
>> printer.example.net client list, such as
>> <http://storage.example.org/clients123>. Consequently,
>> photo.example.com receives a print out of the printer.example.net
>> client list, instead of a photo printout.
>
> What's the attack here? Is it information disclosure or vandalism?

The problem is information disclosure. My understanding of your
proposed design was that photo.example.com would grant read access
over a file to printer.example.net and send the file's URL to
printer.example.net. The printer.example.net would then use its own
credentials to read the file content, print it out and mail it to the
recipient. In the legitimate case, photo.example.com grants read
access to a photo file that it owns. In the attack case,
photo.example.com sends a URL for the printer.example.net client list.
The printer.example.net site already has permission to read its own
file, so it prints it out and mails it to the attacker.

Perhaps this design is not what you originally intended, but it was my
understanding from the original email:

http://www.w3.org/mid/5D7511B2-DA9D-40AF-A536-D799FB6EEFD8@apple.com
"""
As a side note, I should add that Tyler's scenario would be much
simpler overall if printer.example.net used a grant of read access to
the photo it wants to print on storage.example.org, instead of
granting write access to a new location. Or it can just ask
photo.example.com to read the photo from storage.example.org and send
the actual data. Either of these much less abusable than writing, and
would be a safer approach, whether or not the overall design depends
on secret tokens. The grant of read access can be one-time or time-
limited if necessary. Thus, I think the scenario is somewhat
contrived. Likely cross-site interactions would not involve such a
complex process to transfer data. The root of the vulnerability in
Tyler's scenario is writing in a shared namespace to transfer data,
instead of simply granting read access to the existing copy, or
transferring the actual data bits.
"""

Either way, this was an older email and I am happy to move on to
discuss your most current thinking on this topic.

> That being said, my understanding of this threat was greatly improved by the
> discussion at TPAC. I now think the best way to address multi-site
> collaboration is by applying the DBAD discipline. Here's how I would do it
> in this case:
>
> The storage service is designed to allow collaborative access by multiple
> sites, therefore it needs to let them distinguish their own requests from
> third-party requests. One way to do so is to partition resources such that
> each is owned by exactly one storage domain. The only way to share
> information cross-domain is to copy. Resource names include the domain that
> owns them. Then it offers the following command set (angle brackets are used
> to delimit metasyntactic variables):
>
> (This may be more complicated than needed, for the sake of clarity):
>
> Read <from>
>   If the <from> resource is owned by the domain specified by Origin, return
> the data.
>
> Write <to>\n
> <filedata>
>   If the <from> resource is owned by the domain specified by Origin, store
> <filedata> at the resource.
>
> SameDomainCopy <from> <to>
>   <from> and <to> must be in the same domain and must match Origin.
>
> GetReadToken <resource>
>   If the Origin header matches <resource>, return a one-time read token
> which can be used to copy a resource cross-domain
>
> GetWriteToken <resource>
>   If the Origin header matches <resource>, return a one-time read token
> which can be used to copy a resource cross-domain
>
> CrossDomainCopy <from-domain> <from-resource> <read-token> <to-domain>
> <to-resource> <write-token>
>    <read-token> must be a valid read token for <from-resource>, and
> <from-resource> must be owned by <from-domain>. <write-token> must be a
> valid write token for <to-resource>, and <to-resource> must be owned by
> <to-domain>. Origin must match at least one of <from-domain> or <to-domain>.
>
> This allows two sites to agree to copy a resource from one to the other on
> storage.exmple.org without introducing a confused deputy hazard.
>
> In the original scenario, photo.example.com would get a resource name and a
> write token from printer.example.net, would obtain its own read token for
> the resource to copy using GetReadToken, and then issue a copy request with
> both domains and both tokens using CrossDomainCopy. It's impossible for
> printer.example,net to make photo.example.com accidentally overwrite its own
> resources in this case, because the request on behalf of a third party is
> distinct from any request it would make on its own behalf. You could argue
> that neither Origin nor Cookie in the cross-domain network resources are
> necessary to make this work,

Indeed. By adopting the explicit permission passing style that I
advocate for, you have avoided the CSRF-like attacks that are a danger
when relying on Origin and Cookie. *It seems we both recognize that
relying on Origin and Cookie is dangerous.*

The Read, Write and SameDomainCopy methods still rely on Origin and
Cookie, so the code will have to be very careful not to use these
operations with a URL received from another site. For example, if
Origin A sends a URL to Origin B, then Origin B's code must be careful
to never use that URL in a Read, Write or SameDomainCopy operation, or
a CSRF-like attack would occur. This danger could be eliminated by
using explicit permission passing for these operations as well.

> but I think in this case they can make the system easier to build and more robust.

That part is unclear to me. I can clearly see some costs that have
been created: additional unnecessary parameters; hard restrictions on
the structure of the URL namespace; and a loss of flexibility in the
API. For example, it's not possible to just give another service an
output file that it can simply write to. It must write its output to
its own file and then copy the data to the output file. The
cross-domain part of the API seems determined to make some use of
Origin, but to what advantage is unclear.

>> A request composed from data received from 2 or more sites should be a
>> common pattern in any *cross-origin* application. It's the nature of
>> the problem space. There's no need for examples to be complicated to
>> demonstrate the problem. If people find Maciej's example simpler, it
>> demonstrates the vulnerability just as well.
>
> I don't really agree that composing a request from data received from 2 or
> more sites is likely to be common. Sites are doing cross-domain
> collaboration now, using techniques like OAuth, JSONP, or asking the user
> for their password for another site.

You say you don't agree, but your examples are of requests composed of
data from 2 or more sites.

> To my knowledge, the sites doing this
> are general having a pure bilateral interaction that is well modeled by the
> example in my CORS background slide.

I don't understand this last sentence.

Closing remark:

In another thread, you've written "I do think that a way to do an
anonymous XHR is justified", so I don't know how much sense it makes
to continue this thread. You put so much effort into this email that I
felt I owed you a response.

Cheers,
--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Friday, 6 November 2009 01:48:52 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT