W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2008

[whatwg] Referer header sent with <a ping>?

From: dolphinling <lists@dolphinling.net>
Date: Tue, 22 Jan 2008 23:10:40 -0500
Message-ID: <4796BE40.6050500@dolphinling.net>
HTML5 doesn't say anything about whether a referer should be sent with the POST 
generated by <a ping>. There is a new attack vector <a ping> opens (as currently 
being discussed on mozilla.dev.platform) that would be blocked if the referer 
were not sent.

----------
The attack vector relies on the following (not-uncommon) things:

1) There is a site that checks that a request is a POST before doing something 
potentially harmful (note that some sites do this but still respond to query 
parameters in the URL)
2) The server depends on user authentication
3) The server checks the referer before doing something potentially harmful, and 
only allows the action if the referer was from the same server

...And for the attack vector to be *new*, it relies on
4) The server has either an out-of-date blacklist that doesn't block <a ping> or 
a whitelist that explicitly allows <a ping>

(The attack is then obviously <a href="innocentpage" 
ping="userdata?dosomething=evil"> posted on a user-editable part of that server).

I have in the past known sites that fit all 4 criteria (now upgraded to use a 
proper whitelist, though), and I'd be surprised if others didn't exist.
----------

Note that there may be other ways of blocking this attack vector, but the 
question here is whether the referer is needed, as it doesn't seem to make any 
new legitimate things possible, and would help in this case (and perhaps 
others--e.g. privacy).

-- 
dolphinling
<http://dolphinling.net/>
Received on Tuesday, 22 January 2008 20:10:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC