Proposed resolution for Issue 237 (new attack scenario based on XmlHttpRequest object)

• From: Julian Reschke <julian.reschke@gmx.de>
• Date: Sun, 04 Mar 2007 14:46:16 +0100
• To: WebDAV WG <w3c-dist-auth@w3.org>
• Message-ID: <45EACDA8.9050402@gmx.de>

Proposed Changes (see also 
<http://ietf.osafoundation.org:8080/bugzilla/show_bug.cgi?id=237> and 
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis-latest.html#rfc.issue.bz237>:

Proposed changes:

+++
NEW (add to 20.8)

    One specific attack scenario deserves special mention here: with the
    arrival of the "XMLHttpRequest" API (see [WD-XMLHttpRequest]), user
    agents have acquired the capability to submit arbitrary HTTP requests
    against the server the content was obtained from.  With the well-
    known semantics of HTTP verbs such as PUT and DELETE, the following
    attack becomes possible:

    1.  Alice prepares an HTML page with embedded Javascript code that
        will submit a DELETE request against the URI
        http://www.example.com/users/bob/ (a resource she has not write
        access to).

    2.  Alice stores this HTML page at
        http://www.example.com/users/alice/readme.html, a resource she
        has write access to.

    3.  Alice emails Bob a link to
        http://www.example.com/users/alice/readme.html, for which he has
        read access once authenticated.

    4.  Bob follows the link, authenticates, and the embedded script code
        executes the DELETE request against
        http://www.example.com/users/bob/ while being authenticated as
        Bob.

    This attack relies on the common risk of collaboratively authoring
    resources on the same server, which requires a certain amount of
    trust between the users.  However, even an action usually considered
    as "safe", such as opening an HTML page in a web browser, can cause
    arbitrary HTTP methods to be invoked.  Note that WebDAV isn't the
    root cause for this vulnerability, it just makes it more visible.

    Potential steps to reduce the risks associated with this attack
    include:

    o  Separating server domains for authoring (read/write) and publicly
       serving content.

    o  Disallowing certain content (such as scripts in HTML pages)
       altogether, as discussed above.

    o  Using user agents that follow Section 9.1.1 of [RFC2616], in that
       they do not allow unsafe methods to be executed without making the
       user aware of the consequences - unfortunately, none of today's
       browsers is doing that.

NEW (add to informative references):

    [WD-XMLHttpRequest]
               van Kesteren, A., "The XMLHttpRequest Object", W3C WD-
               XMLHttpRequest-20070227, February 2007,
               <http://www.w3.org/TR/2007/WD-XMLHttpRequest-20070227/>.

               Work in progress.
+++

Best regards, Julian

Received on Sunday, 4 March 2007 13:47:41 UTC