FW: CORS and HTTP headers spoofing from Margarita Podskrobko on 2011-06-03 (public-webapps@w3.org from April to June 2011)

From: Margarita Podskrobko <mpodskrobko@hotmail.com>
Date: Fri, 3 Jun 2011 12:02:45 +0200
To: <public-webapps@w3.org>
Message-ID: <BAY159-w61075D9159A15EE0206F0EBA7F0@phx.gbl>

> >> How would you set the "Origin" header?
> >>
> >
> > I have figured out at least one unexpected and surprisingly easy way to do
> > it in Firefox. There is a firefox  addon available , which lets set Origin
> > header to any value. Addon is available from the following
> > link: https://addons.mozilla.org/en-US/firefox/addon/modify-headers/  I have
> > installed it and tried it with one simple web application. Well, what can I
> > say... It works, and with this addon I can send a cross origin XHR with any
> > value of Origin header.
> 
> So your concern is that the user would install an addon and use that
> to attack a target site? What type of attack are you concerned that
> the user would be able to perform? I.e. what type of data are you
> worried that the user could steal? Or what type of harm are you
> worried that the user would be able to cause on the website?
> 
In this particular case, the user might be not aware that there is any this kind of addon running in browser and changing the value of Origin header. And then it is becoming even easier for CSRF, as XHR can be sent automatically and user even doesn't need to click to any malicious link.
But answering your question, the type of stolen data and type of harm depends on the logic implemented on the server. 
> CORS was mostly written with the intent of protecting the users data
> which is stored in various web servers. Obviously the user attacking
> the webserver to steal his or her own data isn't much of a concern.
> This is why I'm asking the above question.

I am trying to figure out, how the Origin header of request should be used on the side of server. Adam Barth wrote the following in http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1255.html:"My understanding is that the CORS use of the Origin header is mostly
to protect the confientiality of resources on the server.  For
example, if (1) the server wishes to reveal a particular piece of
information to some origins by not to others."Before my understanding was compliant with Adam's, I was thinking about resources on the server in general, not only users' data. Best regardsMargarita Podskrobko

Received on Friday, 3 June 2011 10:03:13 UTC