Re: [WEB SECURITY] Defeating nonce/token based CSRF protection

[Bil Corry <bil@xxxxxxxxx>]

Ory Segal wrote on 4/17/2008 1:49 PM: 
> The only possible way to do this, is by using XMLHttpRequest, and that is 
> only possible if you are operating in the same domain.

This soon won't be true.  Internet Explorer 8 is implementing cross-site requests[1] and FireFox 3 was also going to have it, but it was pulled due to security concerns[2].  I imagine Opera will also have it (or currently has it?), considering Anne is the editor of the working draft for access control[3].

I played with FireFox 3b2 (which had the cross-site request feature before they pulled it) and I created a simple exploit to grab recently searched addresses from Google Maps -- but it could have been the implementation was incomplete as it was a beta.  I haven't played with IE8's implementation yet but it's on the to-do list.

In any event, the cross-site request feature of HTML5 is something to keep an eye on, especially since it sounds like the implementation will differ considerably among the various browsers[4].

- Bil


[1] http://go.microsoft.com/fwlink?LinkID=110280
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=424923
[3] http://www.w3.org/TR/2008/WD-access-control-20080214/
[4] http://ejohn.org/blog/javascript-in-internet-explorer-8/  (scroll down to "XDomainRequest")



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]