- From: dolphinling <lists@dolphinling.net>
- Date: Tue, 22 Jan 2008 23:10:40 -0500
HTML5 doesn't say anything about whether a referer should be sent with the POST generated by <a ping>. There is a new attack vector <a ping> opens (as currently being discussed on mozilla.dev.platform) that would be blocked if the referer were not sent. ---------- The attack vector relies on the following (not-uncommon) things: 1) There is a site that checks that a request is a POST before doing something potentially harmful (note that some sites do this but still respond to query parameters in the URL) 2) The server depends on user authentication 3) The server checks the referer before doing something potentially harmful, and only allows the action if the referer was from the same server ...And for the attack vector to be *new*, it relies on 4) The server has either an out-of-date blacklist that doesn't block <a ping> or a whitelist that explicitly allows <a ping> (The attack is then obviously <a href="innocentpage" ping="userdata?dosomething=evil"> posted on a user-editable part of that server). I have in the past known sites that fit all 4 criteria (now upgraded to use a proper whitelist, though), and I'd be surprised if others didn't exist. ---------- Note that there may be other ways of blocking this attack vector, but the question here is whether the referer is needed, as it doesn't seem to make any new legitimate things possible, and would help in this case (and perhaps others--e.g. privacy). -- dolphinling <http://dolphinling.net/>
Received on Tuesday, 22 January 2008 20:10:40 UTC