W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?

From: Getify <getify@gmail.com>
Date: Wed, 10 Nov 2010 14:08:34 -0600
Message-ID: <6CD2AB1255744B52B79F36715C9EA460@spartacus>
To: <public-webapps@w3.org>
?A discussion has been going on in W3C public-html about a proposed `rel=anonymous` feature that would suppress cookies, auth, referrer headers, etc. The purpose would be to use that rel attribute value on static resources to improve performance, by cutting down on unnecessary headers being sent in the request.

http://www.w3.org/Bugs/Public/show_bug.cgi?id=11235

It was brought up by Billy Hoffman (http://zoompf.com) that some web applications have very sensitive sessions and they are set up to expire the session (ie, log the person out) if a request is received that has no session cookie header in it, etc. The assertion was that this type of thing would be a potential DoS attack vector, by allowing an unrelated website to include a hidden <img rel=anonymous> request in their markup that made a request to a site known to log out on such non-cookie requests, and thus effectively logging users out of the app without their control/knowledge.

Whether this is or is not a valid attack vector is possibly open to discussion. But it was brought up that if it is valid, then the same issue mihght also affect CORS xhr requests. I was asked to bring this issue up here to see if anyone has any knowledge or thoughts on that potential issue/vulnerability for CORS xhr?


--Kyle
Received on Wednesday, 10 November 2010 20:09:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:41 GMT