Re: Cross-site Request Forgery from Julian Reschke on 2006-12-22 (w3c-dist-auth@w3.org from October to December 2006)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 22 Dec 2006 12:07:19 +0100
To: Jack Bates <ms419@freezone.co.uk>
CC: w3c-dist-auth@w3.org
Message-ID: <458BBC67.4080201@gmx.de>

Jack Bates schrieb:
> I'm trying to protect my WebDAV project against cross-site request
> forgery. http://en.wikipedia.org/wiki/Cross-site_request_forgery
> 
> What's cross-site request forgery?
> --
> Basically, it helps us to differentiate between user-initiated requests
> and requests that have been made on behalf of the user, eg. if a user
> visits another website and that website has <img
> src="http://yourGallery.com/main.php?delete=everything"> then your
> browser would make the request automatically and delete everything since
> the request has been authorized. By adding a hidden form var and
> checking for it on each request, we can identify such forged requests
> since the hidden form var is not included. Of course, the auth token
> needs to be a random value, hard to guess.

Wait a minute? Are you deleting things upon a GET request? Don't do 
that. Never ever.

> Obviously we can't tell the WebDAV client to include an auth token in
> all requests, can we? Or should we add the auth token to the WebDAV URL?
> 
> Or is there any HTTP header sent by the WebDAV client by which we can
> tell WebDAV clients and normal browsers apart?
> 
> This attack is slightly more difficult against WebDAV because sensitive
> requests use special request methods (eg. "DELETE"). I tried using a
> form to trick the user into making a sensitive request:
> 
> <html>
>   <head>
>     <title> Cross-site Request Forgery </title>
>   </head>
>   <body>
>     <form action="/~jablko/gallery2-trunk/w/foo/bar" method="DELETE">
>       <input type="submit"/>
>     </form>
>   </body>
> </html>
> 
> However it did not work in Firefox. According to the W3C HTML spec, the
> method attribute can only take values "GET" and "POST". Firefox
> interprets any other value as "GET".

Yes.

> I also tried making a sensitive request with JavaScript and
> XMLHttpRequest:
> 
> <html>
>   <head>
>     <title> Cross-site Request Forgery </title>
>   </head>
>   <body>
>     <script>
>       request = new XMLHttpRequest();
>       request.open('DELETE', '/~jablko/gallery2-trunk/w/foo/bar');
>       request.send(null);
>     </script>
>   </body>
> </html>
> 
> This did work; it used my authentication credentials to delete the
> resource.

I think that's the issue we have in 
<http://ietf.osafoundation.org:8080/bugzilla/show_bug.cgi?id=237>.

> ...

Best regards, Julian

Received on Friday, 22 December 2006 11:07:35 UTC