Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?
On Wed, Nov 10, 2010 at 2:43 PM, Getify wrote: >> Ah okay. So that would never work. As things tagged with "anonymous", >> XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore >> Set-Cookie headers. > > First of all, a CORS xhr request could be made with credentials (since > they're available in the view-source JavaScript)... the question is whether > or not evil.com making such a request (using CORS) against bank.com with > credentials would in fact cause the SetCookie response header to be > interpreted by the browser in such a way that the browser's session cookie > for bank.com would be killed? Yes, same way you can using http://bank.com/...";> > Secondly, are we sure that all implementations of CORS xhr are ignoring > SetCookie headers in the "without credentials" case? Please do try it. There isn't much the spec can do other then spec that they should. / Jonas
Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?
> Ah okay. So that would never work. As things tagged with "anonymous", XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore Set-Cookie headers. First of all, a CORS xhr request could be made with credentials (since they're available in the view-source JavaScript)... the question is whether or not evil.com making such a request (using CORS) against bank.com with credentials would in fact cause the SetCookie response header to be interpreted by the browser in such a way that the browser's session cookie for bank.com would be killed? Secondly, are we sure that all implementations of CORS xhr are ignoring SetCookie headers in the "without credentials" case? --Kyle
Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?
On Wed, 10 Nov 2010 21:40:01 +0100, Bjoern Hoehrmann wrote: You can expire the client-side part of the session without knowing which session it is, so long as the browser reads the Set-Cookie header in the response. You could simply respond with an expired Set-Cookie header to any request without a Cookie header. The server-side part of the session would remain active, of course, but that makes no difference to users. Ah okay. So that would never work. As things tagged with "anonymous", XMLHttpRequest without credentials, or AnonXMLHttpRequest would ignore Set-Cookie headers. -- Anne van Kesteren http://annevankesteren.nl/
Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?
* Jonas Sicking wrote: >> It was brought up by Billy Hoffman (http://zoompf.com) that some web >> applications have very sensitive sessions and they are set up to expire the >> session (ie, log the person out) if a request is received that has no >> session cookie header in it, etc. The assertion was that this type of thing >> would be a potential DoS attack vector, by allowing an unrelated website to >> include a hidden request in their markup that made a >> request to a site known to log out on such non-cookie requests, and thus >> effectively logging users out of the app without their control/knowledge. >How will they know which session to expire given that no cookies are >sent and so they can't who the request is coming from? You can expire the client-side part of the session without knowing which session it is, so long as the browser reads the Set-Cookie header in the response. You could simply respond with an expired Set-Cookie header to any request without a Cookie header. The server-side part of the session would remain active, of course, but that makes no difference to users. -- Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Re: Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?
On Wed, Nov 10, 2010 at 12:08 PM, Getify wrote: > A discussion has been going on in W3C public-html about a proposed > `rel=anonymous` feature that would suppress cookies, auth, referrer headers, > etc. The purpose would be to use that rel attribute value on static > resources to improve performance, by cutting down on unnecessary headers > being sent in the request. > > http://www.w3.org/Bugs/Public/show_bug.cgi?id=11235 > > It was brought up by Billy Hoffman (http://zoompf.com) that some web > applications have very sensitive sessions and they are set up to expire the > session (ie, log the person out) if a request is received that has no > session cookie header in it, etc. The assertion was that this type of thing > would be a potential DoS attack vector, by allowing an unrelated website to > include a hidden request in their markup that made a > request to a site known to log out on such non-cookie requests, and thus > effectively logging users out of the app without their control/knowledge. > > Whether this is or is not a valid attack vector is possibly open to > discussion. But it was brought up that if it is valid, then the same > issue mihght also affect CORS xhr requests. I was asked to bring this issue > up here to see if anyone has any knowledge or thoughts on that potential > issue/vulnerability for CORS xhr? How will they know which session to expire given that no cookies are sent and so they can't who the request is coming from? Keep in mind that you can create the same type of request server-to-server. / Jonas
Making non-cookie requests to another domain... possible DoS attack by forcing session expiration?
?A discussion has been going on in W3C public-html about a proposed `rel=anonymous` feature that would suppress cookies, auth, referrer headers, etc. The purpose would be to use that rel attribute value on static resources to improve performance, by cutting down on unnecessary headers being sent in the request. http://www.w3.org/Bugs/Public/show_bug.cgi?id=11235 It was brought up by Billy Hoffman (http://zoompf.com) that some web applications have very sensitive sessions and they are set up to expire the session (ie, log the person out) if a request is received that has no session cookie header in it, etc. The assertion was that this type of thing would be a potential DoS attack vector, by allowing an unrelated website to include a hidden request in their markup that made a request to a site known to log out on such non-cookie requests, and thus effectively logging users out of the app without their control/knowledge. Whether this is or is not a valid attack vector is possibly open to discussion. But it was brought up that if it is valid, then the same issue mihght also affect CORS xhr requests. I was asked to bring this issue up here to see if anyone has any knowledge or thoughts on that potential issue/vulnerability for CORS xhr? --Kyle
