[OpenAjaxSecurity] Anyone care to comment on latest CSRF discussion about Access Control

Jon Ferraiolo jferrai at us.ibm.com
Tue Jan 15 08:16:47 PST 2008



I have been slammed again by Anne, editor of the CSRF spec, this time
saying nothing is new with the scenarios that I depict (you have to follow
the link to see the scenario I depict), but my argument is that, if it
becomes popular with web service providers, Access Control would add new
vulnerability to different sorts of web services (in particular, XHR and
XML based ones) and to a larger group of less sophisticated developers.
What do you think about how hard we should pound on the cookie issue?

Jon


----- Forwarded by Jon Ferraiolo/Menlo Park/IBM on 01/15/2008 08:12 AM
-----
                                                                           
             "Anne van                                                     
             Kesteren"                                                     
             <annevk at opera.com                                          To 
             >                         Jon Ferraiolo/Menlo Park/IBM at IBMUS  
                                                                        cc 
             01/15/2008 07:52          "WAF WG (public)"                   
             AM                        <public-appformats at w3.org>          
                                                                   Subject 
                                       Re: ISSUE 19: Requirements and      
                                       Usage Scenarios document            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo <jferrai at us.ibm.com>
wrote:
> I described a CSRF scenario in
> http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0072.html.
> Search for the word "attack". My example attack vector depends on cookies
> being sent as part of the cross-site request and assumes that the
> simplicity of using Access Control would result is widespread adoption
> by a
> new generation of unsophisticated web service developers who will open up
> their APIs to mashup applications without understanding the consequences.
> Note that the big CSRF worry here is that cookies are sent with the
> requests.

Cookies are already sent for <img>, <script>, and <form> requests. Nothing

new. If people mindless opt in we have might have a problem (though it's
really the people that opt in that do), but I would expect that
dalmationlovers.invalid & co are using some off the shelf software.


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

----- Forwarded by Jon Ferraiolo/Menlo Park/IBM on 01/15/2008 08:12 AM
-----
                                                                           
             "Anne van                                                     
             Kesteren"                                                     
             <annevk at opera.com                                          To 
             >                         Jon Ferraiolo/Menlo Park/IBM at IBMUS  
             Sent by:                                                   cc 
             public-appformats         "WAF WG (public)"                   
             -request at w3.org           <public-appformats at w3.org>          
                                                                   Subject 
                                       Re: ISSUE 19: Requirements and      
             01/15/2008 07:52          Usage Scenarios document            
             AM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo <jferrai at us.ibm.com>
wrote:
> I described a CSRF scenario in
> http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0072.html.
> Search for the word "attack". My example attack vector depends on cookies
> being sent as part of the cross-site request and assumes that the
> simplicity of using Access Control would result is widespread adoption
> by a
> new generation of unsophisticated web service developers who will open up
> their APIs to mashup applications without understanding the consequences.
> Note that the big CSRF worry here is that cookies are sent with the
> requests.

Cookies are already sent for <img>, <script>, and <form> requests. Nothing

new. If people mindless opt in we have might have a problem (though it's
really the people that opt in that do), but I would expect that
dalmationlovers.invalid & co are using some off the shelf software.


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080115/91f2d4e3/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic23614.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080115/91f2d4e3/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080115/91f2d4e3/attachment-0001.gif 


More information about the security mailing list