- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 18 Jan 2008 13:38:35 +0100
- To: Ian Hickson <ian@hixie.ch>
- Cc: Mark Baker <distobj@acm.org>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
On 2008-01-17 20:42:10 +0000, Ian Hickson wrote: > But if you accept only, e.g., application/xml or some > SOAP-specific type at the moment, then you are safe from > cross-site browser-triggered POSTs. As far as we know, the only > widely deployed servers that accept such types are SOAP servers. > That's why they are called out explicitly as the real world > practical concern. Of course, our requirements, as Jonas > described in his most recent e-mail(s), include all such > potential attacks -- SOAP is just the only well known case. In fact, DNS rebinding techniques make the picture a bit more complex than that: It means that you can circumvent the same-origin policy for servers that don't also check the Host header. I.e., if a SOAP-based service is used as the default server in a virtual hosting environment and accepts arbitrary Host headers, then an attacker can use DNS rebinding to submit arbitrary data through XMLHttpRequest. The trick is to use DNS records with a very short TTL, and to flip the IP address that the record points to after the page has loaded, but before the request to the victim server goes out. You can actually pull the trigger on that switch through another request back to the attack server. (Incidentally, this attack also works against the access-control framework in its client-side incarnation, unless there is a server-side PEP. On the other hand, we can't do away entirely with the client-side PEP, for the benefit of legacy services that don't do any server-side enforcement.) Cheers, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 18 January 2008 12:38:46 UTC