W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2007

Re: Proposed resolution for Issue 237 (new attack scenario based on XmlHttpRequest object)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 04 Mar 2007 20:22:13 +0100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: WebDAV WG <w3c-dist-auth@w3.org>
Message-ID: <ki6mu2pr998q8pc7hvrtjfsamjshtv474r@hive.bjoern.hoehrmann.de>

* Julian Reschke wrote:
>    One specific attack scenario deserves special mention here: with the
>    arrival of the "XMLHttpRequest" API (see [WD-XMLHttpRequest]), user
>    agents have acquired the capability to submit arbitrary HTTP requests
>    against the server the content was obtained from.  With the well-
>    known semantics of HTTP verbs such as PUT and DELETE, the following
>    attack becomes possible:
>
>    1.  Alice prepares an HTML page with embedded Javascript code that
>        will submit a DELETE request against the URI
>        http://www.example.com/users/bob/ (a resource she has not write
>        access to).
>
>    2.  Alice stores this HTML page at
>        http://www.example.com/users/alice/readme.html, a resource she
>        has write access to.
>
>    3.  Alice emails Bob a link to
>        http://www.example.com/users/alice/readme.html, for which he has
>        read access once authenticated.
>
>    4.  Bob follows the link, authenticates, and the embedded script code
>        executes the DELETE request against
>        http://www.example.com/users/bob/ while being authenticated as
>        Bob.

You should say Bob has write access to http://www.example.com/users/bob/
I missed that at first and wondered what the point here might be.

>    o  Using user agents that follow Section 9.1.1 of [RFC2616], in that
>       they do not allow unsafe methods to be executed without making the
>       user aware of the consequences - unfortunately, none of today's
>       browsers is doing that.

I don't think this is the best way to put it, but I don't have much
better text at hand right now.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 4 March 2007 19:22:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT