Book Excerpt: The Tangled Web: A Guide to Securing Modern Web Applications

By Michal Zalewski

January 17, 2012 — (Page 3 of 6)

Security Checks for Simple Requests
The CORS specification allows simple requests to be submitted to the destination server immediately, without attempting to confirm whether the destination is willing to engage in cross-domain communications to begin with. This decision is based on the fact that the attacker may initiate fairly similar cookie-authenticated traffic by other means (for example, by automatically submitting a form) and, therefore, that there is no point in introducing an additional handshake specifically for CORS.

The crucial security check is carried out only after the response is retrieved from the server: The data is revealed to the caller through the XMLHttpRequest API only if the response includes a suitable, well-formed Access-Control-Allow-Origin header. To assist the server, the original request will include a mandatory Origin header, specifying the origin associated with the calling script.

To illustrate this behavior, consider the following cross-domain XMLHttpRequest call performed from http://www.bunnyoutlet.com/:

var x = XMLHttpRequest();
x.open('GET', 'http://fuzzybunnies.com/get_message.php?id=42', false);
x.send(null);

The result will be an HTTP request that looks roughly like this:

GET /get_message.php?id=42 HTTP/1.0
Host: fuzzybunnies.com
Cookie: FUZZYBUNNIES_SESSION_ID=EA7E8167CE8B6AD93D43AC5AA869A920
Origin: http://www.bunnyoutlet.com

To indicate that the response should be readable across domains, the server needs to respond with

HTTP/1.0 200 OK
Access-Control-Allow-Origin: http://www.bunnyoutlet.com

The secret message is: "It's a cold day for pontooning."

NOTE: It is possible to use a wildcard (“*”) in Access-Control-Allow-Origin, but do so with care. It is certainly unwise to indiscriminately set Access-Control-Allow-Origin: * on all HTTP responses, because this step largely eliminates any assurances of the same-origin policy in CORS-compliant browsers.

Related Search Term(s): The Tangled Web: A Guide to Securing Modern Web Applications

Pages 1 2 3 4 5 6

Share this link: http://sdt.bz/36270

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan.

Kik Launches an Open API to Enable Mobile Developers to Bake Instant Content Sharing Into Any App API-powered developers like Rude Boy Games, DrinkOwl and FlyScreen can promote their apps to millions of Kik Messenger users.

webOS no great loss for developers HP wasn’t able to build momentum for the former Palm operating system

Cigital Develops Ready-to-Use Tools for Securing the Smart Grid
Cigital Inc. announced the release of the Guide to Developing a Cyber Security and Risk Mitigation Plan Read More...