[cl-weblocks-ticket] #45: Don't use gensym for actions to avoid XSS attacks
#45: Don't use gensym for actions to avoid XSS attacks -----------------------+---------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: critical | Milestone: Component: weblocks | Version: Keywords: security | -----------------------+---------------------------------------------------- gensym-based action urls can be guessed and thus the following attack is possible: A user has his weblock-based bank system open. In gmail, the user gets a link to a web-page that will generate lots of guessed action urls that transfers funds out of the users bank account. Ways to fix: 1. Require session id in URLs[[BR]] 2. Or, generate stronger non-gensym based action ids -- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks
#45: Don't use gensym for actions to avoid XSS attacks ------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: low | Milestone: 0.2 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: security ------------------------+--------------------------------------------------- Changes (by sakhmechet): * milestone: => 0.2 * priority: critical => low * version: => pre-0.1 Comment: I don't think this is an issue. Weblocks stores actions per session specifically so that a user cannot access another user's actions (unless the session has been highjacked). If a malicious site generates a lot of 'transfer' actions the user still won't be able to access them. It's probably better to use a scheme that makes action URLs harder to guess anyway, but this isn't critical. Moving to 0.2. -- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks
#45: Don't use gensym for actions to avoid XSS attacks ------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: security ------------------------+--------------------------------------------------- Changes (by sakhmechet): * milestone: 0.2 => 0.1 * priority: low => medium Comment: On 8/1/07, Alexander Kjeldaas <alexander.kjeldaas@gmail.com> wrote:
One user accessing another user's stuff is not the attack I am
The attack I am describing is a purely destructive *someone making a user do stuff* attack. Get a user to do something that they didn't really intend to do. In order to do this, one only need to get the user to click on a
describing. link
that has a guessed action in it. I see.
A multistep solution that comes to mind is this: 1. Split actions into destructive actions that modify back-end data, and 'pure' actions. 2. Ensure that destructive actions are only executed if the HTTP request is initiated via POST. I'll have to double check, but I think browsers don't allow forms to send POST requests to domains different from where HTML originally came from. 3. Programmers will sometimes make mistakes and create destructive actions as regular ones (we could prevent them from doing it in Haskell, but unfortunately not in Lisp). This means all actions, not just destructive ones must have URLs that are hard to guess. I'm not sure if I want to implement #1 (and therefore #2) because it forces a programmer to choose between two ways of creating an action. On the other hand this might be a good thing - this is something that needs to be thought out. #3 should definetly be implemented. -- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks
#45: Don't use gensym for actions to avoid XSS attacks ------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: security ------------------------+--------------------------------------------------- Comment (by sakhmechet): Please forgive the bad formatting. Numbers above don't mean tickets, but points from Alexander's email. -- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks
#45: Don't use gensym for actions to avoid XSS attacks ------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: closed Priority: medium | Milestone: 0.1 Component: weblocks | Version: pre-0.1 Resolution: fixed | Keywords: security ------------------------+--------------------------------------------------- Changes (by sakhmechet): * resolution: => fixed * status: new => closed Comment: Fixed. I implemented approach 3 - action names should now be very hard to guess. I generate a random block of text, hash it with MD5 (to ensure an attacker can't crack the random number generator), and prepend it with a gensym counter (to avoid a very unlikely event of two MD5-encoding action names clashing in the same session). -- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks
participants (1)
-
cl-weblocks