[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] firefox3 vuln by design?

From: Thomas Roessler <tlr@xxxxxx>
Subject: Re: [WEB SECURITY] firefox3 vuln by design?
Date: Thu, 30 Aug 2007 09:53:50 +0200

On 2007-08-29 01:36:25 +0200, Thierry Zoller wrote:

> >And finally, the proposed W3C specifications are insecure from start.
> It says Draft ?

The specification for the access-control processing instruction and
HTTP header is indeed a Working Draft, i.e., subject to further work
and change as the WG deems fit:

  http://www.w3.org/TR/access-control/

Comments can (and should!) be sent to public-appformats@xxxxxxx

How to actually use the entire thing with XMLHttpRequest isn't even
part of the current working draft for that (different)
specification, yet:

  http://www.w3.org/TR/2007/WD-XMLHttpRequest-20070618/

There, too, comments are always welcome.

>>This cross domain access control mechanism is also subjective to
>>TRACK/TRACE

> No Trace gives headers last time I used it, it will not reflect the
> content of the xml data. Am I wrong?

The "access-control" specification includes a definition of an HTTP
header.  However, I right now fail to see where its use with
TRACK/TRACE leads to any new vulnerabilities.

>>This port scanning method does not work today, but it will if
>>you implement the W3C standard.

> Assumption

If you want to use the access-control framework, you need to somehow
get the policy from the server.  So, yes, if implemented with XHR,
you'll presumably be able to cause relatively random GET (or more
likely HEAD) requests -- but then again, you can do that by writing
<img/> or <script/> tags into your DOM.

To curb port scanning, you can (a) restrict the ports that these
requests might actually go to; (b) specify the API to make an
"access denied" error as indistinguishable as possible from a
network-level error.

(And yes, I realize that that sounds easier than it might be, e.g.,
an attacker could try to work out timing characteristics of the
different approaches.)

Regards,
-- 
Thomas Roessler, W3C  <tlr@xxxxxx>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] firefox3 vuln by design?
  - From: bugtraq
- Re: [WEB SECURITY] firefox3 vuln by design?
  - From: Thierry Zoller

Prev by Date: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Next by Date: RE: [WEB SECURITY] How to detect XSS in an automated fashion
Previous by thread: Re: [WEB SECURITY] firefox3 vuln by design?
Next by thread: Re: [WEB SECURITY] firefox3 vuln by design?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site