W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [cors] Legacy Servers: POST Body Format

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 03 Aug 2011 11:24:24 -0400
Message-ID: <4E396828.8030704@mit.edu>
To: public-webapps@w3.org
On 8/3/11 5:03 AM, Philippe De Ryck wrote:
>> You can create pretty much any arbitrary message body you want using
>> application/x-www-form-urlencoded already by crafting smart names and
>> values so the real importance is in not being able to set Content-Type.
>> This is not a security problem as far as I can tell.
>
> Using a form still results in the use of = and&  in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector.
>
> 	BEGIN:VCALENDAR
> 	VERSION:2.0
> 	PRODID:-//hacksw/handcal//NONSGML v1.0//EN
> 	BEGIN:VEVENT
> 	UID:uid1@example.com
> 	DTSTAMP:19970714T170000Z
> 	ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com
> 	DTSTART:19970714T170000Z
> 	DTEND:19970715T035959Z
> 	SUMMARY:Bastille Day Party
> 	END:VEVENT
> 	END:VCALENDAR

Trivial encoding of the above data in a normal form:

<!DOCTYPE html>
<form
  action="put_your_echo_script_here_to_see_what_the_POST_data_looks_like"
  method="POST"
  enctype="text/plain">
   <input type="hidden"
          name="BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
BEGIN:VEVENT
UID:uid1@example.com
DTSTAMP:19970714T170000Z
ORGANIZER;CN"
          value="John Doe:MAILTO:john.doe@example.com
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT
END:VCALENDAR
">
   <input type="submit" value="Send me some ICS!">
</form>

This can be done cross-site by browsers right this second.  The submit 
can be fully scripted, so doesn't even need user interaction.  Just 
loading a page with such a form can send your nice ICS data to any HTTP 
server that the UA is willing to reach.

-Boris
Received on Wednesday, 3 August 2011 15:25:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT