- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 17 Jan 2008 01:27:21 -0800
- To: "WAF WG (public)" <public-appformats@w3.org>
Hi again, Just wanted to summarize some attack vectors that we want to make sure that we fend off: The general rule of thumb is "Don't introduce new attack vectors". All below points are derived from that general rule. 1. Should not introduce attack vectors to servers protected only by being behind fire walls. Some servers authenticate solely by relying on the fact that the user can connect to the server at all. While anyone can issue an arbitrarily formatted request to a server on the internet, this is not true for servers on intranets behind firewalls. The only requests that can be issued to such servers today are ones that browsers send out. This includes GET requests (from a multitude of features in HTML) and POST requests from HTML <form>s. Requests not allowed by these features could introduce new attack vectors. 2. It should not be possible to issue POST requests containing XML data to arbitrary servers. This due to that there are a number of SOAP servers deployed that communicate using XML sent over POST requests and could perform potentially dangerous attacks. 3. Should try to prevent dictionary based distributed brute-force attacks to try to get login accounts to 3rd party servers, to the extent possible. 4. Should not fail to properly enforce security policy in the face of commonly deployed proxy servers sitting between the UA and any of servers the UA is communicating with. 5. Should not allow loading of XML resources from 3rd party servers without explicit consent of these servers as such resources can contain sensitive information. This restriction should not just apply to XML resources, but any other type of resource that can contain sensitive information. I'm sure there are more, so feel free to add to this list. / Jonas
Received on Thursday, 17 January 2008 09:27:42 UTC