[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0704152308410.14980@dione>
Date: Sun, 15 Apr 2007 23:40:21 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: Michal Majchrowicz <m.majchrowicz@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cross Domain XMLHttpRequest
On Sun, 15 Apr 2007, Michal Majchrowicz wrote:
> I wanted to show that it is posssible to perform some kind of Cross
> Domain Requests.
As much as I loathe the origin-based security model of modern web
browsers, there are semi-valid reasons why XMLHttpRequest is restricted
the way it is.
A remote attacker can interact with much of the Internet on its own. Your
browser is an asset for him for three primary reasons:
1) It might have access to a network that is not directly reachable
from the Internet, for example a corporate LAN,
2) It might be in possession of authentication tokens that enable it
to access resources the attacker has no access to (web cookies,
basic/NTLM credentials).
3) It might serve as a bounce host to hide the actual source of an
attack against a third-party site (or, say, even simply adding
spam to web forums).
For these reasons, you do not want your browser to roam the Internet on
its own, and all mechanisms that allow this should be restricted. This is
already broken, of course - blind XSRF attacks are possible with plain
HTML - but unrestricted XMLHttpRequest would be a powerful, non-blind, and
fully interactive method that would be nearly impossible to stop.
Your script does not invalidate the need for XMLHttpRequest restrictions -
note that there is nothing for you to be gained from running it on your
server: you won't see more network than you can see already, you will not
receive cookies or other credentials that were not meant for you, and you
won't be able to hide your identity while attacking others.
Some web developers may benefit from such a bouncer, of course - but this
is really not a security-related topic; and still, they should be
cautious, because they might end up turning their system in a nifty zombie
host.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists