Re: [cors] Legacy Servers: POST Body Format

On 8/3/11 5:03 AM, Philippe De Ryck wrote:
>> You can create pretty much any arbitrary message body you want using
>> application/x-www-form-urlencoded already by crafting smart names and
>> values so the real importance is in not being able to set Content-Type.
>> This is not a security problem as far as I can tell.
>
> Using a form still results in the use of = and&  in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector.
>
>  BEGIN:VCALENDAR
>  VERSION:2.0
>  PRODID:-//hacksw/handcal//NONSGML v1.0//EN
>  BEGIN:VEVENT
>  UID:uid1@example.com
>  DTSTAMP:19970714T170000Z
>  ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com
>  DTSTART:19970714T170000Z
>  DTEND:19970715T035959Z
>  SUMMARY:Bastille Day Party
>  END:VEVENT
>  END:VCALENDAR

Trivial encoding of the above data in a normal form:

<!DOCTYPE html>
<form
  action="put_your_echo_script_here_to_see_what_the_POST_data_looks_like"
  method="POST"
  enctype="text/plain">
   <input type="hidden"
          name="BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
BEGIN:VEVENT
UID:uid1@example.com
DTSTAMP:19970714T170000Z
ORGANIZER;CN"
          value="John Doe:MAILTO:john.doe@example.com
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT
END:VCALENDAR
">
   <input type="submit" value="Send me some ICS!">
</form>

This can be done cross-site by browsers right this second.  The submit 
can be fully scripted, so doesn't even need user interaction.  Just 
loading a page with such a form can send your nice ICS data to any HTTP 
server that the UA is willing to reach.

-Boris

Received on Wednesday, 3 August 2011 15:25:06 UTC