Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Fri, Jun 5, 2009 at 9:42 PM, Mark S. Miller <erights@google.com> wrote:
> [+www-tag]
>
> I have received several private responses to my post, but oddly, nothing
> public yet. In these responses, I have been asked most frequently about:

Sorry for the lag in public comments.

> On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller <erights@google.com> wrote:
> Since malicious machines, or malicious applications running on trusted
> machines, can sent messages that aren't self-identified as cross origin, why
> do I suggest that lack of an origin header (in the absence of other
> credentials) might lead a server into granting more access than it would for
> messages self-identified as "Origin: null"?
>
> For servers reachable from the open internet, such server behavior would
> indeed be nonsensical. However, many servers are behind corporate firewalls
> and not reachable from the open internet. The premise firewalls rely on,
> whether sensible or not, is that all software running behind that firewall
> that can send arbitrary network messages are not malicious. Under this
> assumptions, browsers behind the firewall are assumed not to be malicious
> themselves, but of course may be running malicious scripts associated only
> with origins outside the firewall. These can of course cause their browser
> to initiate network messages to severs within the firewall, but only
> messages identified with browser-imposed headers. For messages not
> identified as cross origin, a server can assume that either the initiating
> program is non-malicious (because it is associated with the server's
> behind-the-firewall origin) or that the initiating program will not receive
> the results of the request.

This seems like a lot of speculation.  Do you have any evidence to
support this hypothesis?

> Under these admittedly fragile (but common) assumptions, a server may indeed
> "trust" a message that doesn't identify itself as cross origin more than it
> "trusts" one that does. Thus, a non malicious script that doesn't wish the
> sanitized scripts it loads to "speak for it" should force all the messages
> they initiate to be identified as "Origin: null".

If this were the case, we'd have this same problem with Referer,
postMessage, Origin-for-CORS, and numerous other web technologies.

Adam

Received on Sunday, 7 June 2009 19:18:40 UTC