Re: <form> POST versus Access Control POST

On 2008-01-17 20:42:10 +0000, Ian Hickson wrote:

> But if you accept only, e.g., application/xml or some
> SOAP-specific type at the moment, then you are safe from
> cross-site browser-triggered POSTs.  As far as we know, the only
> widely deployed servers that accept such types are SOAP servers.
> That's why they are called out explicitly as the real world
> practical concern. Of course, our requirements, as Jonas
> described in his most recent e-mail(s), include all such
> potential attacks -- SOAP is just the only well known case.

In fact, DNS rebinding techniques make the picture a bit more
complex than that: It means that you can circumvent the same-origin
policy for servers that don't also check the Host header.

I.e., if a SOAP-based service is used as the default server in a
virtual hosting environment and accepts arbitrary Host headers, then
an attacker can use DNS rebinding to submit arbitrary data through

The trick is to use DNS records with a very short TTL, and to flip
the IP address that the record points to after the page has loaded,
but before the request to the victim server goes out. You can
actually pull the trigger on that switch through another request
back to the attack server.

(Incidentally, this attack also works against the access-control
framework in its client-side incarnation, unless there is a 
server-side PEP.  On the other hand, we can't do away entirely with
the client-side PEP, for the benefit of legacy services that don't
do any server-side enforcement.)

Thomas Roessler, W3C  <>

Received on Friday, 18 January 2008 12:38:46 UTC