W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Mark S. Miller <erights@google.com>
Date: Mon, 8 Jun 2009 23:05:08 -0700
Message-ID: <4d2fac900906082305m32831033jda711ed0ce6f80f8@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-webapps <public-webapps@w3.org>
On Mon, Jun 8, 2009 at 10:24 AM, Tyler Close <tyler.close@gmail.com> wrote:

> On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller<erights@google.com> wrote:
> > On Sun, Jun 7, 2009 at 3:28 PM, Adam Barth <w3c@adambarth.com> wrote:
> >> Yeah, I can see that as being useful.  I encourage you to propose a
> >> new API that does this.  The Origin-header-as-CSRF-defense already
> >> provides for this possibility.  Is there something specific you'd like
> >> me to change in the I-D to support this new API?
> >
> > Yes. I will take you up on this invitation. Thanks!
> For CORS <http://www.w3.org/TR/access-control/>, and other parts of
> web-apps, I think the above agreement is the important take-away from
> this discussion. For sites with advertising, or other third-party
> widgets, it would be nice to have a way for code to issue network
> requests without impersonating the hosting page's Origin.

First, I agree with Tyler that this agreement together with the agreement
just now with Anne are the important take aways. These agreements do not
depend on the outcome of the remaining XSS issue Adam and I are debating. I
suggest that discussion of how to turn these agreements into specs continue
on the "XHR without user credentials" thread. Those interested in what
upcoming specifications should say, rather than how many vulnerabilities can
dance on an XSS, can stop reading now.

I suggest that the debate about XSS risks continue here under the original
subject line since it describes the remaining issue we're still debating.

On Sun, Jun 7, 2009 at 11:18 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Sun, Jun 7, 2009 at 6:24 PM, Mark S. Miller <erights@google.com> wrote:
> > On Sun, Jun 7, 2009 at 4:29 PM, Adam Barth <w3c@adambarth.com> wrote:
> >>
> >> Right, but once the attacker has XSSed site A, the attacker learns the
> >> secret token necessary to issue the next request in the chain to site
> >> A regardless of the method.
> >
> >
> > Recall that this is in response to
> >
> > On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com>
> wrote:
> >>
> >> If servers at A don't freely hand out such tokens in response to
> guessable
> >> GET requests,
> >
> > So, if servers at A don't do this, how does the attacker, having XSSes
> site
> > A, learn the secret token necessary to issue the next request?
> The same way the user does: by generating a click event on whatever
> DOM element leads to the next page.

Under any system which presents ambient origin credentials to authorize
access, whether http auth info, cookies, or identiied Origin headers, an XSS
against page X on origin A can abuse all that user's authority associated
with *origin A*.

In a pure secret token based system, an XSS against page X on origin A can
abuse all the authority held by *page X* -- the authority authorized by the
secret tokens that page X knows and all authority reachable by guessable
traversal from X starting from knowledge of these tokens. If A's website is
structured according to both RESTful and POLA (Principle of Least
Authority), then most of A's pages will hold less much less authority than
the authority associated with A as a whole.

This argument is exactly parallel to the "Solitaire" criticism of
conventional ACL-oriented OSes <
http://video.google.com/videoplay?docid=-7961423532989255419>. Just as a
desktop Solitaire appication does not need the authority to delete your
files, a web Solitaire game running on gaming site A does not need authority
to delete all the other games (or whatever) you have in progress at that
website. Just as a conventional OS grants Solitaire this authority it does
not need, conventional web credential systems grant to the web Solitaire
game all your authority at that site/origin. If either Solitaire has an
exploitable vulnerability, then the attacker can abuse this excess

However, if either Solitaire -- the application or the web page -- only
holds the authority it needs to perform its legitimate job, then if it has
an exploitable vulnerability, the attacker can only abuse that limited


Unfortunately, just as processes running on the same account on a
conventional OS can mess with each other, so can frames running as the same
origin. The limits to Solitaire's abuse potential above includes the
authority of other A-origin frames running at the same time as Solitaire.
This makes it difficult to reason about precisely how much these measures
help; but it is still clear that they would often help a great deal
depending on the users habits.

Of course, only a handful of people -- all of whom you and I probably know
-- operate sites as "pure secret token based" with no ambient credentials
whatsoever. Any transitional strategy has to accomodate some kind of login,
where the login page makes a transition from a page with little authority
(itself) to a page holding all of that user's authority at that origin (say,
that user's "home page" at that origin).

In order for all the rest of this hypothetical reduction of XSS
vulnerability to pay off, we need merely run the login page itself at an
origin other than A, in order to protect itself from an XSS on an
application page at A. Only the transitions within A and out of A must be
pure secret token based. The transitions into A can be by other means
separately protected.

If the XSS vulnerability in question is on the user's A home page, then we
haven't gained anything. But there will be some distribution of
vulnerabilities across pages, and most of the site's pages should carry far
less authority.


I am not advocating that people use the above techniques by themselves to
ameliorate their XSS vulnerabilities. Better to fix the XSS problem with
technologies like Caja. But neither do I expect immediate pervasive adoption
of Caja or of pure secret token systems. The point here is simply that this
is a practical scenario, both simpler and more secure than current practice
and independent of JavaScript sanitization, whose security even against
XSSes would be weakened by extending conventional identified-origin access
control into cross-origin requests.

Received on Tuesday, 9 June 2009 06:05:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC