Re: Limiting requests from the internet to the intranet.

Since it doesn't seem to have been posted here yet, this seems apropos:

https://code.google.com/p/google-security-research/issues/detail?id=693

Exploitation of this vuln would have been prevented by the system Mike
proposes (as well as most of the variants down-thread).  (Unless TrendMicro
sent the header, of course.)

On Mon, Jan 4, 2016 at 5:10 AM, Mike West <mkwst@google.com> wrote:

> Happy new year, WebAppSec! This seems like a lovely time to rekindle the
> fire under the public/private origin restriction that we removed from Mixed
> Content way back in 2014 (
> http://www.w3.org/TR/2014/WD-mixed-content-20140722/#private-origin).
>
> I've put together a kinder, gentler take on hardening the user agent
> against the kinds of attacks that such requests enable:
> https://mikewest.github.io/cors-rfc1918/. It's pretty rough, as I've only
> poked at it sporadically over the holidays, but I think there's enough
> there to get a conversation going.
>
> In a nutshell, the proposal is to require a CORS-preflight request for
> requests initiated from the public internet which target private IP space.
> This preflight requires an opt-in on the part of the intranet server via a
> new CORS header, but doesn't block the requests entirely (which was a
> failing of the initial proposal). I imagine this server-side opt-in being
> combined in some intelligent way with a user-side opt-in (Presto-style
> interstitial? permission request?), but I haven't explored anything in that
> direction.
>
> CCing a few folks who've commented on the topic in the past; I imagine
> you'll have opinions. :)
>
> -mike
>

Received on Wednesday, 13 January 2016 00:42:35 UTC