W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 10 Nov 2010 12:14:48 -0800
Message-ID: <AANLkTimdfWo6b20NWJrTfMA+G6XzoF_y2Hw0TCRmnPC6@mail.gmail.com>
To: Getify <getify@gmail.com>
Cc: public-webapps@w3.org
On Wed, Nov 10, 2010 at 12:08 PM, Getify <getify@gmail.com> wrote:
> A discussion has been going on in W3C public-html about a proposed
> `rel=anonymous` feature that would suppress cookies, auth, referrer headers,
> etc. The purpose would be to use that rel attribute value on static
> resources to improve performance, by cutting down on unnecessary headers
> being sent in the request.
>
> http://www.w3.org/Bugs/Public/show_bug.cgi?id=11235
>
> It was brought up by Billy Hoffman (http://zoompf.com) that some web
> applications have very sensitive sessions and they are set up to expire the
> session (ie, log the person out) if a request is received that has no
> session cookie header in it, etc. The assertion was that this type of thing
> would be a potential DoS attack vector, by allowing an unrelated website to
> include a hidden <img rel=anonymous> request in their markup that made a
> request to a site known to log out on such non-cookie requests, and thus
> effectively logging users out of the app without their control/knowledge.
>
> Whether this is or is not a valid attack vector is possibly open to
> discussion. But it was brought up that if it is valid, then the same
> issue mihght also affect CORS xhr requests. I was asked to bring this issue
> up here to see if anyone has any knowledge or thoughts on that potential
> issue/vulnerability for CORS xhr?

How will they know which session to expire given that no cookies are
sent and so they can't who the request is coming from?

Keep in mind that you can create the same type of request server-to-server.

/ Jonas
Received on Wednesday, 10 November 2010 20:15:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:41 GMT