Re: ISSUE 19: Requirements and Usage Scenarios document from Jon Ferraiolo on 2008-01-15 (public-appformats@w3.org from January 2008)

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Tue, 15 Jan 2008 06:20:46 -0800
To: Arthur Barstow <art.barstow@nokia.com>
Cc: ext Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
Message-ID: <OFFE1E7326.DEE4FCB9-ON882573D1.004E08B7-882573D1.004ECE68@us.ibm.com>

I described a CSRF scenario in
http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0072.html.
Search for the word "attack". My example attack vector depends on cookies
being sent as part of the cross-site request and assumes that the
simplicity of using Access Control would result is widespread adoption by a
new generation of unsophisticated web service developers who will open up
their APIs to mashup applications without understanding the consequences.
Note that the big CSRF worry here is that cookies are sent with the
requests.



                                                                           
             Arthur Barstow                                                
             <art.barstow@noki                                             
             a.com>                                                     To 
             Sent by:                  ext Mark Nottingham                 
             public-appformats         <mnot@yahoo-inc.com>                
             -request@w3.org                                            cc 
                                       "WAF WG (public)"                   
                                       <public-appformats@w3.org>          
             01/15/2008 05:20                                      Subject 
             AM                        Re: ISSUE 19: Requirements and      
                                       Usage Scenarios document            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Mark,

On Jan 14, 2008, at 11:24 PM, ext Mark Nottingham wrote:
>
> On 09/01/2008, at 1:36 PM, Jon Ferraiolo wrote:
>>
>> One thing that strikes me immediately is that there are
>> requirements about XSS (cross-site scripting) but no mention of
>> CSRF, which is one of the concern areas from the folks at OpenAjax
>> Alliance, primarliy due to the current specification saying that
>> cookies will be sent.
>>
> +1
>
> From what I understand, the response to this concern is usually
> "that horse has already bolted."
>
> For the record, while I understand this sentiment, I personally
> don't think it's a good excuse to open the door wider.

Where is the data/analysis that clearly backs your claim (that AC4CSR
introduces new attack vectors)? My apologies if I missed this (but
please do send me the pointer(s)).

Thanks, Art Barstow
---

Attachments

image/gif attachment: graycol.gif
image/gif attachment: pic24327.gif
image/gif attachment: ecblank.gif

Received on Tuesday, 15 January 2008 15:07:46 UTC