On Tue, Dec 9, 2008 at 10:37 PM, Manger, James H <[EMAIL PROTECTED]> wrote: >> Anybody have a real web app that relies on the integrity >> of content headers for security? > > There have been various attacks using the UTF-7 charset (eg an XSS attack > against Google in 2005). The attack works when the body of an HTTP response > is misinterpreted by browsers as UTF-7, instead of UTF-8 or US-ASCII. > The charset is specified in the Content-Type header. > > Another potentially relevant attack, named GIFAR, was reported a BlackHat USA > this year. A single file (HTTP body) can easily be interpreted as a > (harmless) GIF image or (potentially malicious) Java code (JAR file). One > reason the attack worked was because a Java Virtual Machine (JVM) ignored the > image/gif Content-Type. If the solution was for the JVM to care about the > Content-Type, not protecting its integrity could undo the solution. > > Both of these are real attacks. They might not be absolutely directly > applicable to this OAuth body signing situation -- but they are close.
Agreed, there are realistic attacks against servers based on content types. Hosting content is a tricky business: PDFs, Flash, HTML, and lots of other content types can cause problems even when the content-type header is accurate. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
