Re: [cors] Legacy Servers: POST Body Format

On Tue, 2011-08-02 at 16:46 +0200, Anne van Kesteren wrote:
> On Mon, 01 Aug 2011 16:09:17 +0200, Philippe De Ryck  
> <philippe.deryck@cs.kuleuven.be> wrote:
> > The CORS specification fails to protect legacy servers from POST
> > messages with arbitrary body formatting.
> 
> You can create pretty much any arbitrary message body you want using  
> application/x-www-form-urlencoded already by crafting smart names and  
> values so the real importance is in not being able to set Content-Type.  
> This is not a security problem as far as I can tell.

Using a form still results in the use of = and & in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector.

 BEGIN:VCALENDAR
 VERSION:2.0
 PRODID:-//hacksw/handcal//NONSGML v1.0//EN
 BEGIN:VEVENT
 UID:uid1@example.com
 DTSTAMP:19970714T170000Z
 ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com
 DTSTART:19970714T170000Z
 DTEND:19970715T035959Z
 SUMMARY:Bastille Day Party
 END:VEVENT
 END:VCALENDAR


-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Received on Wednesday, 3 August 2011 09:20:43 UTC