- From: Collin Jackson <collinj@cs.stanford.edu>
- Date: Mon, 25 Feb 2008 01:59:15 -0800
- To: "Anne van Kesteren" <annevk@opera.com>, "Adam Barth" <abarth@cs.stanford.edu>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
One issue that is not clear in the specification is that it is possible to make cross-site requests with spoofed Access-Control-Origin headers in all existing browsers. These requests can be made using DNS rebinding. Adobe and Sun have recently released fixes for socket-level DNS rebinding vulnerabilities, but as far as I know there are no existing or planned client-side browser defenses for DNS rebinding using XMLHttpRequest. Here is a demonstration of header spoofing: 1) Using Windows, launch Firefox 2 or Safari 3 and visit <http://crypto.stanford.edu/dns/>. (The XMLHttpRequest demo could be made to work on other browsers and operating systems, but we haven't done it yet.) 2) Select "Browser Time Delay (HTTP on port 80)" from the dropdown list 3) Change the host box to the name of a target web server (optional) 4) Press wget 5) Wait some number of seconds (depending on the browser you're using) 6) The demo will the issue a "GET /" XHR to the target server with a spoofed Access-Control-Origin. (The content of the header is "This header has been spoofed.") 7) The server's response will be parsed by the demo and displayed on-screen. Note that it is also possible to send POST requests in this way. For public web servers, a practical way to defend against these attacks is to check the request's Host header as well as the Access-Control-Origin header. If the Host header doesn't match the server's host name, the server should ignore the Access-Control-Origin header and refuse the request. The specification should recommend this defense in Section 3 (Security Considerations). -- Collin Jackson
Received on Monday, 25 February 2008 09:59:34 UTC