Re: [XHR] XMLHttpRequest specification lacks security considerations

On Tue, Feb 9, 2010 at 2:50 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> A sever can generally determine the domain name of the host it is running on from the operating system, if it wants to run with zero configuration. That is apparently what Apache does:
>
> http://httpd.apache.org/docs/1.3/mod/core.html#servername

That link says "this may not work reliably, or may not return the
preferred hostname."  *If* server implementers would be willing to
have their servers refuse to work unless explicitly configured or the
request host matches reverse DNS/OS hostname, then I agree as a web
developer that that would be great.

On Wed, Feb 10, 2010 at 4:37 AM, Bil Corry <bil@corry.biz> wrote:
> Another threat is an attacker crafting a malicious payload in the Host header, hoping that it gets logged then viewed via a web browser.

That's just straight XSS.

> And some webapps conditionally show debugging information based on the host header, so that the production hostname has a generic error page and the staging hostname produces a full stack trace.  Simply forging the host header allows an attacker to view the full debugging information.

I'd be surprised if this were common enough to be worth worrying about.

Received on Wednesday, 10 February 2010 23:22:33 UTC