7
Mar

For Once, I Support MS Deviating From Spec

   Posted by: Joshbw   in Secure Development

Add Comment

Anne van Kesteren has a blog post deriding MS for deviating from the proposed standard with the inclusion of XDomainRequest. Your can read the horribly dry standard as well as the design decisions behind it here.  To be blunt, the standard (as well as Mr. van Kesteren) is wrong and MS is right in this case, though if you have read a previous post of mine it should be evident that I think standards bodies generally suck at including security.  I think the W3C has a habit of focusing on what web developers want to do, and not whether they *should* be able to do it (essentially the same problem MS had pre-SDL; give the users what they want, not what is in their best interest).

Key to the proposed standard, ”cookies and authentication information should be sent in the request”, which is a horrible, horrible idea.  Sure, it allows the inclusion of session specific information, information for a specific user, from an external domain in the web page the user is viewing which could have some interesting mash-up results, but it also allows the website making the request to access to that information.  In response headers, which necessarily need to be queriable from JavaScript to see if the request worked, that cookie information is going to be readable as will the potentially sensitive information returned as content.  There is no good reason why my website should have access to any other website’s cookie info.

One could argue that a website can always deny a request from an external source unless it happens to be from a specific domain (hah, as if that would be spoofed), and essentially grant content only to predetermined trusted callers, but there is already a mechanism for that.  If I have an agreement with Amazon to access their user specific data from my website, I can do so through a webservice call in my server side code.  It does require a bit more work, but that extra work will require both parties to think very carefully about what is exposed and what level of access to give. 

If this is implemented in a browser, it will be exploited.  Large websites with a strong security record will likely implement this functionality securely, but there are a whole lot of companies out there without strong security records, with marketing people calling the shots, who will allow unrestricted third party websites to make calls to their protected content.  The security community will figure out how to steal cookie information using it (with the current proposal, it would be sort of trivial).  The idea that “Cookies and authentication information is already sent cross-site for various HTML elements, such as img, script, and form. This means that such a request does not introduce a new attack vector.” as the design decisions for the W3C proposal states, is hopelessly naive. Citing requests made outside of JavaScript, where the browser returns no significant information to potentially malicious scripts, is very different from making said requests and granting access to the response and content inside of script.  That the standards body can’t grok the difference is quite worrisome.

Microsoft is absolutely correct in their implementation of XDomainRequest.  It should only have access to information that the whole world has access to, and it should not pass any sensitive information (like sessionIDs stored in cookies) that the original domain does not already have access to.  Is it restrictive, absolutely, but for the blackhats as well as the web developers.  That is sort of the point.  There are secure ways to retrieve information from another domain.  It does require more work.  It also requires more work for me to have to verify my identity when using my credit card than it would if everyone would just trust me, but I think we can all agree that is for my own good.

For all of you complaining about MS not supporting the standard with this, please stop considering for a moment what you could do with the W3C proposal, and consider what a malicious person could do.

~ Joshbw

This entry was posted on Friday, March 7th, 2008 at 10:12 am and is filed under Secure Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 comments so far

Aaron Wakling
 1 

I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you.

Aaron Wakling

March 7th, 2008 at 10:30 am
Anne van Kesteren
 2 

It still doesn’t explain why they did not communicate and did their own thing without informing others. That was my point. Not that they did not implement the specification you refer to.

March 7th, 2008 at 1:26 pm
Joshbw
 3 

Microsoft is actually very active in the W3C, they chair several of the subcommittees, and so forth. Unless you are speaking from personal experience I don’t think you can rule out them communicating with W3C or the browser companies with a stake in implementing said functionality (considering Window Snyder, chief security something or other at Mozilla, is a former Microserf I would also not rule out her being in the loop).

It is true that they haven’t communicated details to the public until the first public developer beta, but when would be a better time to make the decision public? When the public cannot actually play with the implementation and is left to base any feedback entirely on speculation or when the public can actually see the implementation in action. The public developer beta is largely for the purpose of getting the general public to send feedback while the product can still be changed reflecting the feedback. If that isn’t a good time to inform others, I am not sure when a good time would be.

March 7th, 2008 at 1:38 pm
Anne van Kesteren
 4 

I’m speaking from personal experience in the HTML WG, Web API WG, and WAF WG. I agree they’re active elsewhere, such as in the CSS WG. Dunno really about other WGs.

March 7th, 2008 at 5:14 pm
Joshbw
 5 

Wait, isn’t Chris Wilson one of the chairs of the HTML WG? He is a platform architect on the IE team. He isn’t active in the group he chairs?

If they really didn’t chime up, despite chairing the WG, then by all means, you are right. I don’t have issue with them deviating from the spec in this case, but if they didn’t notify their peers in the W3C that they were doing so, or why, then you are justified in having issue with it (you would be more in the know than I, which will teach me for mouthing off without doing my research about who I was mouthing off about, though I hope I didn’t come across as too rude).

Would you agree that there are some serious security implications with the proposal as it stands though?

March 7th, 2008 at 6:16 pm
Anne van Kesteren
 6 

Your analysis of the specification are incorrect. The requesting party will not have access to the cookie data. If you could send your comments to public-appformats@w3.org that would be much appreciated.

(Part of the concerns are actually that not sending cookies will make some things less secure because it encourages that the requesting party will ask the user for authentication data of the site being targeted.)

March 8th, 2008 at 4:43 am
Joshbw
 7 

Part of the concerns are actually that not sending cookies will make some things less secure because it encourages that the requesting party will ask the user for authentication data of the site being targeted

I can understand that but I actually think that number would be reasonably small. I think even the most security ingorant site developers can realize that a logon on an external system isn’t a great idea, and the need to explicetly send either credientials or a retrieved session identifier with each request as a post (or god forbid, get) paramater would be enough of a pain that many sites would be too lazy to implement it. At the same time if cookies are enabled and the API exposes getAllResponseHeaders() or getResponseHeader(), which would make sense from a functionality standpoint (the feature would be much more handicapped if you couldn’t query the server response than it would not sending cookies), then I can get at the cookies as the script author. I can already do that to get past the HttpOnly flag in an XSS attack.

I do think the browser should strip the cookie from the response header before handing the response to the script, even in the current XMLHttpRequest, to protect against this. (as an aside I think document.cookie should also be disabled except for sites running in some trusted context, if even then. The situations where the client is the better entity to edit or examine cookies rather than the server are very few and far between. In almost every legitimate use the server should be doing that work, even if a design makes it easier to do on the client). Doing so would make me a good deal less wary, and rereading the spec I see I missed that in the user agent section the first time.

Furthermore, the primary reason to pass session or authentication information in the request is to get at a user specific protected portion of the website. Certain well designed websites will expose this to external request in a very well thought out manner, but I think the number of websites that will expose information in a poorly thought out manner will be many. Companies have already proven with their various Web APIs that even if they think about security with their website they often forget it when they implement the other means of accessing their data. I think this is opening the door to enable much more dangerous designs than leaving it out and hoping companies don’t pass credentials in another fashion.

I also think that we already have a safer method of doing cross site requests using web services. There are a wealth of things I can do to ensure my exposed data is only going to trusted sources when the external entity is another server (requiring digital certs, IP filters if only a limited number of external entities, source authentication credentials, etc) that I either can’t do on the client, or would be really dumb (the source authentication credentials, since anyone could view source for static credentials, or drop in with a debugger if the creds are dynamically retrieved). With the client side request, I as the host ultimately cannot trust the real source of the request.

I’ll properly collect my thoughts and post something to the mailing list monday or tuesday (and admittedly do a better job rereading the spec, since I missed the User Agent is supposed to strip cookies from the response the first read through).

March 8th, 2008 at 8:34 am

Leave a reply

Name (*)
Mail (will not be published) (*)
URI
Comment
Back to top