- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 04 Mar 2007 20:22:13 +0100
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: WebDAV WG <w3c-dist-auth@w3.org>
* Julian Reschke wrote: > One specific attack scenario deserves special mention here: with the > arrival of the "XMLHttpRequest" API (see [WD-XMLHttpRequest]), user > agents have acquired the capability to submit arbitrary HTTP requests > against the server the content was obtained from. With the well- > known semantics of HTTP verbs such as PUT and DELETE, the following > attack becomes possible: > > 1. Alice prepares an HTML page with embedded Javascript code that > will submit a DELETE request against the URI > http://www.example.com/users/bob/ (a resource she has not write > access to). > > 2. Alice stores this HTML page at > http://www.example.com/users/alice/readme.html, a resource she > has write access to. > > 3. Alice emails Bob a link to > http://www.example.com/users/alice/readme.html, for which he has > read access once authenticated. > > 4. Bob follows the link, authenticates, and the embedded script code > executes the DELETE request against > http://www.example.com/users/bob/ while being authenticated as > Bob. You should say Bob has write access to http://www.example.com/users/bob/ I missed that at first and wondered what the point here might be. > o Using user agents that follow Section 9.1.1 of [RFC2616], in that > they do not allow unsafe methods to be executed without making the > user aware of the consequences - unfortunately, none of today's > browsers is doing that. I don't think this is the best way to put it, but I don't have much better text at hand right now. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Sunday, 4 March 2007 19:22:29 UTC