WebApp Sec mailing list archives
RE: Blind cross-domain POST/GET requests
From: Andrew Moise <chops () demiurgestudios com>
Date: Wed, 01 Dec 2004 15:41:43 -0500
On Wed, 2004-12-01 at 14:18 -0500, Scovetta, Michael V wrote:
Unless I'm missing something, which is quite possible...
I think you are :-). It's pretty trivial to get your victim to load a particular URL; I don't think of allowing <img src="foo"> as an XSS vulnerability. However, if "foo" is a URL which has side effects, then your victim will access the script and cause those side effects, with any cookies/certificates/whatever authentication tokens they have. Basically, it seems like any URL which causes side effects, and which is accessed via predictable syntax, is vulnerable to an attacker causing requests that appear to come from a different person, regardless of any authentication the script uses outside the URL parameters themselves. I had never heard of this either; it sounds like this class of vulnerability is incredibly widespread. I see from that other post that it's called CSRF. Just to be clear, the common solution is for _every_ web-accessible script that causes abusable side effects to read and check a validation parameter (HMAC, session ID, or whatever) that won't be forgable by an attacker (regardless of what access control it uses outside the GET/POST parameters), right? -- Andrew Moise <chops () demiurgestudios com>
Current thread:
- Blind cross-domain POST/GET requests Florian Weimer (Dec 01)
- Re: Blind cross-domain POST/GET requests Saqib . N . Ali (Dec 01)
- Re: Blind cross-domain POST/GET requests Saqib . N . Ali (Dec 01)
- Re: Blind cross-domain POST/GET requests Saqib . N . Ali (Dec 03)
- <Possible follow-ups>
- RE: Blind cross-domain POST/GET requests Scovetta, Michael V (Dec 01)
- RE: Blind cross-domain POST/GET requests Andrew Moise (Dec 02)