- From: Tyler Close <tyler.close@gmail.com>
- Date: Thu, 3 Dec 2009 12:31:12 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Adam Barth <w3c@adambarth.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Julian Reschke <julian.reschke@gmx.de>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 12:24 PM, Maciej Stachowiak <mjs@apple.com> wrote: > > On Dec 3, 2009, at 12:10 PM, Tyler Close wrote: > >> On Thu, Dec 3, 2009 at 10:37 AM, Maciej Stachowiak <mjs@apple.com> wrote: >>> >>> Do you see an actual flaw in my reasoning as applied to the command-line >>> tool in question? >> >> Sending a POST request with Content-Type application/xml using a >> webbot is a likely thing to do and the redirect attack would not be >> prevented by either of the mitigations you listed. > > How does that affect my original point 1? To recap, my point 1 was that if > you send no credentials, only resources behind firewalls face potential > vulnerability from redirects. This is so because such a request could be > sent by the potential attacker directly, without involving a redirect. I > believe this remains the case even if you send a POST request with > Content-Type application/xml. Yes, only resources that depend solely on a firewall (or client IP address) for access-control are vulnerable to the redirect attack. Such resources are common enough that the webbot must not violate their expected security model. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Thursday, 3 December 2009 20:31:52 UTC