One user accessing another user's stuff is not the attack I am describing. The attack I am describing is a purely destructive *someone making a user do stuff* attack. Get a user to do something that they didn't really intend to do. In order to do this, one only need to get the user to click on a link that has a guessed action in it.
For example, if there's a "delete account" action on a weblocks page where the action id is guessable, *someone* can post a link somewhere that makes people delete their accounts.
If the action id is unguessable, or the session id is part of the url, then this attack is not possible. A third option is to add a framework for confirmation of "important" actions.
On 8/1/07, cl-weblocks cl-weblocks-devel@common-lisp.net wrote:
#45: Don't use gensym for actions to avoid XSS attacks
------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: low | Milestone: 0.2 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: security
------------------------+--------------------------------------------------- Changes (by sakhmechet):
- milestone: => 0.2
- priority: critical => low
- version: => pre-0.1
Comment:
I don't think this is an issue. Weblocks stores actions per session specifically so that a user cannot access another user's actions (unless the session has been highjacked). If a malicious site generates a lot of 'transfer' actions the user still won't be able to access them.
It's probably better to use a scheme that makes action URLs harder to guess anyway, but this isn't critical. Moving to 0.2.
-- Ticket URL: http://trac.common-lisp.net/cl-weblocks/ticket/45 cl-weblocks http://common-lisp.net/project/cl-weblocks cl-weblocks