W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2010

Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 10 Nov 2010 21:40:01 +0100
To: Jonas Sicking <jonas@sicking.cc>
Cc: Getify <getify@gmail.com>, public-webapps@w3.org
Message-ID: <210md6tek2s1fevhae530gjiiuvb3vtfii@hive.bjoern.hoehrmann.de>
* Jonas Sicking wrote:
>> It was brought up by Billy Hoffman (http://zoompf.com) that some web
>> applications have very sensitive sessions and they are set up to expire the
>> session (ie, log the person out) if a request is received that has no
>> session cookie header in it, etc. The assertion was that this type of thing
>> would be a potential DoS attack vector, by allowing an unrelated website to
>> include a hidden <img rel=anonymous> request in their markup that made a
>> request to a site known to log out on such non-cookie requests, and thus
>> effectively logging users out of the app without their control/knowledge.

>How will they know which session to expire given that no cookies are
>sent and so they can't who the request is coming from?

You can expire the client-side part of the session without knowing which
session it is, so long as the browser reads the Set-Cookie header in the
response. You could simply respond with an expired Set-Cookie header to
any request without a Cookie header. The server-side part of the session
would remain active, of course, but that makes no difference to users.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 10 November 2010 20:40:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:28 UTC