- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 17 Jan 2008 20:42:10 +0000 (UTC)
- To: Mark Baker <distobj@acm.org>
- Cc: Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
On Thu, 17 Jan 2008, Mark Baker wrote: > On 1/17/08, Jonas Sicking <jonas@sicking.cc> wrote: > > > > The specific attack I was worried about was SOAP service providers. > > These work by accepting XML data through POSTs and and can perform > > potentially dangerous operations. > > Dangerous operations aren't specific to SOAP. Any POST-accepting > resource can do them. In practice, servers can be separated into two groups: those that check the submission MIME type, and those that just assume one. Those that just assume one are currently fully vulnerable to attack, since you can already, using <form enctype=text/plain> and JS, submit any arbitrary data to a remote host. Those that check the MIME type are currently safe if they accept a MIME type that is not possible to send using HTML <form>. Currently you can only send three types, text/plain, and two form-specific types. (WF2 also introduces a third form-specific type for XML.) Thus you are vulnerable if you accept those MIME types. But if you accept only, e.g., application/xml or some SOAP-specific type at the moment, then you are safe from cross-site browser-triggered POSTs. As far as we know, the only widely deployed servers that accept such types are SOAP servers. That's why they are called out explicitly as the real world practical concern. Of course, our requirements, as Jonas described in his most recent e-mail(s), include all such potential attacks -- SOAP is just the only well known case. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 17 January 2008 20:42:26 UTC