[OpenAjaxSecurity] Anyone care to comment on latest CSRF discussion about Access Control

Jon Ferraiolo jferrai at us.ibm.com
Tue Jan 15 15:02:21 PST 2008


Hi Bertrand,
Actually, Anne is a he. (Dutch, I believe.)

His point about <img>,<script> and <form> is that if a web service works
with GET, then you could invoke the CSRF-vulnerable web service via
something like:

<img width="0" height="0"
src="http://example.com/reset_password.asp?new_email_address=badboy@evil.com&new_password=gotcha"/>

So, they are saying that because some web services are designed poorly
today such that they are vulnerable to CSRF attacks *and* allow data upload
via GET parameters to <img>, then what's the big deal about opening up a
(what they believe is) a tiny new CSRF attack vector via XMLHttpRequest
where method=POST, especially given the (what they believe is) critical
requirement that cookies be sent with the cross-domain request. Personally,
I don't buy this line of reasoning. I don't think we should allow a new
browser feature which extends the ability for site A to send cookies up to
site B, especially when that feature is specifically defined to work with
POST. If site B wants to share the information that it stores in cookies
with a different site, then there are other mechanisms that can be used.

At the moment, I am outnumbered on the W3C mailing list. It would be
helpful if the IE team offered up some opinions on the W3C mailing list.

Jon





                                                                           
             Bertrand Le Roy                                               
             <Bertrand.Le.Roy@                                             
             microsoft.com>                                             To 
             Sent by:                  OpenAjax Alliance Security Task     
             security-bounces@         Force <security at openajax.org>       
             openajax.org                                               cc 
                                                                           
                                                                   Subject 
             01/15/2008 11:38          Re: [OpenAjaxSecurity] Anyone care  
             AM                        to comment on latest CSRF           
                                       discussion  about Access Control    
                                                                           
             Please respond to                                             
             OpenAjax Alliance                                             
               Security Task                                               
                   Force                                                   
             <security at openaja                                             
                  x.org>                                                   
                                                                           
                                                                           




Her arguments about <img>, <script> and <form> don’t make a lot of sense:
how do you steal what the server returned? Only script allows it *if* it’s
designed to send contents back to a parent frame or something along those
lines.

From: security-bounces at openajax.org [mailto:security-bounces at openajax.org]
On Behalf Of Jon Ferraiolo
Sent: Tuesday, January 15, 2008 8:17 AM
To: security at openajax.org
Subject: [OpenAjaxSecurity] Anyone care to comment on latest CSRF
discussion about Access Control



I have been slammed again by Anne, editor of the CSRF spec, this time
saying nothing is new with the scenarios that I depict (you have to follow
the link to see the scenario I depict), but my argument is that, if it
becomes popular with web service providers, Access Control would add new
vulnerability to different sorts of web services (in particular, XHR and
XML based ones) and to a larger group of less sophisticated developers.
What do you think about how hard we should pound on the cookie issue?

Jon


----- Forwarded by Jon Ferraiolo/Menlo Park/IBM on 01/15/2008 08:12 AM
-----


                                                                           
                         "Anne van                                         
                         Kesteren"                                         
                         <annevk at opera.                                    
                         com>                                              
                                                                        To 
                                                                           
                         01/15/2008                 Jon Ferraiolo/Menlo    
                         07:52 AM                   Park/IBM at IBMUS         
                                                                           
                                                                        cc 
                                                                           
                                                    "WAF WG (public)"      
                                                    <public-appformats at w3. 
                                                    org>                   
                                                                           
                                                                   Subject 
                                                                           
                                                    Re: ISSUE 19:          
                                                    Requirements and Usage 
                                                    Scenarios document     
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo <jferrai at us.ibm.com>
wrote:
> I described a CSRF scenario in
> http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0072.html.
> Search for the word "attack". My example attack vector depends on cookies
> being sent as part of the cross-site request and assumes that the
> simplicity of using Access Control would result is widespread adoption
> by a
> new generation of unsophisticated web service developers who will open up
> their APIs to mashup applications without understanding the consequences.
> Note that the big CSRF worry here is that cookies are sent with the
> requests.

Cookies are already sent for <img>, <script>, and <form> requests. Nothing

new. If people mindless opt in we have might have a problem (though it's
really the people that opt in that do), but I would expect that
dalmationlovers.invalid & co are using some off the shelf software.


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

----- Forwarded by Jon Ferraiolo/Menlo Park/IBM on 01/15/2008 08:12 AM
-----


                                                                           
                         "Anne van                                         
                         Kesteren"                                         
                         <annevk at opera.                                    
                         com>                                              
                         Sent by:                                       To 
                         public-appform                                    
                         ats-request at w3             Jon Ferraiolo/Menlo    
                         .org                       Park/IBM at IBMUS         
                                                                           
                                                                        cc 
                         01/15/2008                                        
                         07:52 AM                   "WAF WG (public)"      
                                                    <public-appformats at w3. 
                                                    org>                   
                                                                           
                                                                   Subject 
                                                                           
                                                    Re: ISSUE 19:          
                                                    Requirements and Usage 
                                                    Scenarios document     
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           






On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo <jferrai at us.ibm.com>
wrote:
> I described a CSRF scenario in
> http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0072.html.
> Search for the word "attack". My example attack vector depends on cookies
> being sent as part of the cross-site request and assumes that the
> simplicity of using Access Control would result is widespread adoption
> by a
> new generation of unsophisticated web service developers who will open up
> their APIs to mashup applications without understanding the consequences.
> Note that the big CSRF worry here is that cookies are sent with the
> requests.

Cookies are already sent for <img>, <script>, and <form> requests. Nothing

new. If people mindless opt in we have might have a problem (though it's
really the people that opt in that do), but I would expect that
dalmationlovers.invalid & co are using some off the shelf software.


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>_______________________________________________
security mailing list
security at openajax.org
http://openajax.org/mailman/listinfo/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080115/54d5eabc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080115/54d5eabc/attachment-0003.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic06479.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080115/54d5eabc/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20080115/54d5eabc/attachment-0005.gif 


More information about the security mailing list