- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 03 Aug 2011 11:24:24 -0400
- To: public-webapps@w3.org
On 8/3/11 5:03 AM, Philippe De Ryck wrote: >> You can create pretty much any arbitrary message body you want using >> application/x-www-form-urlencoded already by crafting smart names and >> values so the real importance is in not being able to set Content-Type. >> This is not a security problem as far as I can tell. > > Using a form still results in the use of = and& in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector. > > BEGIN:VCALENDAR > VERSION:2.0 > PRODID:-//hacksw/handcal//NONSGML v1.0//EN > BEGIN:VEVENT > UID:uid1@example.com > DTSTAMP:19970714T170000Z > ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com > DTSTART:19970714T170000Z > DTEND:19970715T035959Z > SUMMARY:Bastille Day Party > END:VEVENT > END:VCALENDAR Trivial encoding of the above data in a normal form: <!DOCTYPE html> <form action="put_your_echo_script_here_to_see_what_the_POST_data_looks_like" method="POST" enctype="text/plain"> <input type="hidden" name="BEGIN:VCALENDAR VERSION:2.0 PRODID:-//hacksw/handcal//NONSGML v1.0//EN BEGIN:VEVENT UID:uid1@example.com DTSTAMP:19970714T170000Z ORGANIZER;CN" value="John Doe:MAILTO:john.doe@example.com DTSTART:19970714T170000Z DTEND:19970715T035959Z SUMMARY:Bastille Day Party END:VEVENT END:VCALENDAR "> <input type="submit" value="Send me some ICS!"> </form> This can be done cross-site by browsers right this second. The submit can be fully scripted, so doesn't even need user interaction. Just loading a page with such a form can send your nice ICS data to any HTTP server that the UA is willing to reach. -Boris
Received on Wednesday, 3 August 2011 15:25:06 UTC