Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility) from Mark S. Miller on 2009-06-07 (public-webapps@w3.org from April to June 2009)

From: Mark S. Miller <erights@google.com>
Date: Sun, 7 Jun 2009 15:46:46 -0700
To: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <4d2fac900906071546r6eaf573ctff8217c8b7f0602f@mail.gmail.com>

[- all but Adam and pubic-webapps]

On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote:
> > If servers at A don't freely hand out such tokens in response to
> guessable GET
> > requests, then the secret token prevents XSS-at-A-attacker's XSRF against
> B
> > from abusing the authority that B associates with A.
>
> I don't see what GET has to do with it.  In any case, the XSS attacker
> can always enter the site at the home page (e.g., http://example.com/)
> and follow whatever obscure links exist until it reaches the page that
> contains the token.[...]

If the starting point "http://example.com/" is guessable, then the XSS
attacker thereby succeeds at obtaining the token only if the server at
example.com hands out the token in response to a guessable sequence of GET
requests.

If the starting point is not guessable, then I don't understand your
example.

-- 
   Cheers,
   --MarkM

Received on Sunday, 7 June 2009 22:47:26 UTC