- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 14 Apr 2006 12:57:47 +0200
- To: public-webapi@w3.org
Hi, while discussing RFC2518bis, the IETF WebDAV WG got feedback ([1]) pointing out a potential attack scenario that hasn't been discussed before a lot, and mainly depends on three factors: - HTTP methods such as PUT or DELETE that may overwrite/delete existing content - collaborative authoring of web resources by different users on the same site (so this is *not* about cross site attacks) - presence of scriptable HTTP components in browsers (XHR). Summary (from [2]): > The XmlHttpRequest object (implemented now in all current browsers) allows > issueing arbitrary HTTP (and WebDAV) requests under the credentials of the > authenticated user, in particular the DELETE method. > > If user A prepares an HTML page containing code that will issue a DELETE request > against one of user B's resources, and tricks him/her into navigating to that > page, the browser will issue the DELETE request with B's credentials (no > confirmation required). At this point the WebDAV working group really doesn't know what to do with this, except for potentially adding it to the Security Considerations in RFC2518bis. On the other hand, this isn't really specific to WebDAV (being based on HTTP PUT/DELETE and XHR-like functionality), so maybe somebody over here has some idea how to deal with it. Best regards, Julian [1] <http://lists.w3.org/Archives/Public/w3c-dist-auth/2006JanMar/0701.html> [2] <http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=237>
Received on Friday, 14 April 2006 11:00:06 UTC