W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: <form> POST versus Access Control POST

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 17 Jan 2008 20:42:10 +0000 (UTC)
To: Mark Baker <distobj@acm.org>
Cc: Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0801172037500.15583@hixie.dreamhostps.com>

On Thu, 17 Jan 2008, Mark Baker wrote:
> On 1/17/08, Jonas Sicking <jonas@sicking.cc> wrote:
> >
> > The specific attack I was worried about was SOAP service providers. 
> > These work by accepting XML data through POSTs and and can perform 
> > potentially dangerous operations.
> Dangerous operations aren't specific to SOAP.  Any POST-accepting 
> resource can do them.

In practice, servers can be separated into two groups: those that check 
the submission MIME type, and those that just assume one.

Those that just assume one are currently fully vulnerable to attack, since 
you can already, using <form enctype=text/plain> and JS, submit any 
arbitrary data to a remote host.

Those that check the MIME type are currently safe if they accept a MIME 
type that is not possible to send using HTML <form>. Currently you can 
only send three types, text/plain, and two form-specific types. (WF2 also 
introduces a third form-specific type for XML.) Thus you are vulnerable if 
you accept those MIME types.

But if you accept only, e.g., application/xml or some SOAP-specific type 
at the moment, then you are safe from cross-site browser-triggered POSTs. 
As far as we know, the only widely deployed servers that accept such types 
are SOAP servers. That's why they are called out explicitly as the real 
world practical concern. Of course, our requirements, as Jonas described 
in his most recent e-mail(s), include all such potential attacks -- SOAP 
is just the only well known case.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 17 January 2008 20:42:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC