XmlHttpRequest

Re: XmlHttpRequest

Hello!

Jim Ley wrote:[color=blue][color=green]
>>This "security risk" is not so different from embedding pages using
>>iframes. If example.com page outputs HTML (which is more prevalent than
>>XML/XSLT), everybody can embedd example.com on their own pages using
>>iframes.[/color]
>
> no, this is completely wrong, the security risk is much, much higher,
> these embedding or image src techniques are one way, you can't read
> what you get back. This severely limits what you can do.[/color]

I think, this is debatable. And before we continue to evaluate the level of
"security risk" one of these techniques generates, I suggest we should
clarify *what* the "bad guys" (got a better term for them?) want to do.

Example: If they succeed by just submitting information, then not being able
to read back doesn't help anything.
[color=blue][color=green]
>>I reckon, using a cunningly designed parent page you could add your own
>>submit buttons underneath the iframe and deceive the user to click them,
>>sending a request that's completely under the control of example.org.[/color]
>
> So it would submit, none of the fields would be sent from the field
> the user entered in the other form.[/color]

I just wanted to give an example how you could submit forged data *on
behalf* of the user without using XmlHttpRequest. You are right, this way
you don't get any information from the user. So my anwser fits better to
the posting from Matt Kruse and does not belong here.

In fact, Martin was talking about "page spoofing". And that would be
realized not using iframes but creating a copy of the original page and
storing it on example.org (bad server).
[color=blue]
> Yes, which is a completely different thing to xmlhttprequest. cross
> domain xmlhttprequest would make phishing a very diffent activity, you
> could just do live man in middle attacks from inside the users
> browser, not a good idea![/color]

Sounds interesting, an "intra-browser" attack. :-)

True, denying cross domain XmlHttpRequests raises the bar to gather user
information. But then, once you got the user on example.org or
http://www.ghoogle.com he is lost anyway.

Cheers
Daniel

Re: XmlHttpRequest

Daniel Kabs wrote:
[color=blue]
> Matt Kruse wrote:[color=green]
>> XmlHttpRequests are sent just as if the user requested the URL, sending
>> cookies and everything.[/color]
>
> Thanks for the information, I did not consider cookies and that stuff.
>[color=green]
>> I could write a page which invisibly requested pages from ebay, paypal,
>> etc where your stored cookie might allow you to skip the login process. I
>> could then parse the results and potentially gain access to private
>> information.[/color]
>
> Is that approach limited to scripts, only?[/color]

No, it is not.
[color=blue]
> I could write a page that embedds an <img> tag and craft the src attribute
> to contain the form values for bidding on a certain ebay auction.[/color]

You would not succeed this way, since they most certainly use sessions _and_
POST requests. The cookie and URL do not carry enough information, so the
(GET) request would be "rejected". However, with XMLHTTPRequest supported,
POST requests are possible.
[color=blue]
> The browser sends the HTTP request and the ebay server processes the GET
> request as if the user requested the URL, isn't it?[/color]

If they would be this careless, eBay would not be what it is today.
[color=blue]
> Of course, the user will never see the resulting page but the request
> might be enough to trigger an action to the users's disadvantage.[/color]

Yes, but not with the URL (of the GET request) alone.


PointedEars
--
Wer sich treiben läßt, hat den eigenen Antrieb noch nicht verstanden.
-- Jürgen 'Jygn' Klingforth

ebay and security (war: XmlHttpRequest)

Thomas 'PointedEars' Lahn wrote:[color=blue][color=green]
>> I could write a page that embedds an <img> tag and craft the src
>> attribute to contain the form values for bidding on a certain ebay
>> auction.[/color]
>
> You would not succeed this way, since they most certainly use sessions
> _and_ POST requests.[/color]

That presumes, ebay is currently checking that bidding forms can only be
submitted using POST requests. I doubt this and I invite you to check this.
There is a nifty tool for Mozilla/FF called "Web Developer Tool Bar":

It disables Javascript with one click and turns POST requests into GET
requests. Do this conversion just before placing your bid.
[color=blue]
> If they would be this careless, eBay would not be what it is today.[/color]

I miss the <ironic mode='on'> tag here.

Are you saying that ebay is caring for the security of their customers? Do
you insinuate that ebay has always been carefully crafting their server
pages to achieve the highest security possible? Are you suggesting that
ebay protects their customers by fixing known bugs immediately?

I don't think so! They just got away with it. There have been numerous
reports how the security on ebay is flawed.

Cheers
Daniel Kabs
Germany

Re: ebay and security

Daniel Kabs wrote:
[color=blue]
> Thomas 'PointedEars' Lahn wrote:[color=green][color=darkred]
>>> I could write a page that embedds an <img> tag and craft the src
>>> attribute to contain the form values for bidding on a certain ebay
>>> auction.[/color]
>> You would not succeed this way, since they most certainly use sessions
>> _and_ POST requests.[/color]
>
> That presumes, ebay is currently checking that bidding forms can only be
> submitted using POST requests.[/color]

Yes, indeed.
[color=blue]
> I doubt this[/color]

ACK
[color=blue]
> and I invite you to check this.[/color]

No. For two reasons:

1. You are the one that doubts, not me. I have only mentioned
a possibility that IMO has a quite high probability to be.

2. I do not have an eBay account and that is not going to change
in the foreseeable future.
[color=blue]
> There is a nifty tool for Mozilla/FF called "Web Developer Tool
> Bar": http://www.chrispederick.com/work/firefox/webdeveloper/[/color]

Thanks, I have it already installed.
[color=blue]
> It disables Javascript with one click[/color]

What's that to do with the fact in question?
[color=blue]
> and turns POST requests into GET requests. Do this conversion just
> before placing your bid.[/color]

Next one, please.
[color=blue][color=green]
>> If they would be this careless, eBay would not be what it is today.[/color]
>
> I miss the <ironic mode='on'> tag here.[/color]

Well, I don't.
[color=blue]
> Are you saying that ebay is caring for the security of their customers?[/color]

I do hope so.
[color=blue]
> Do you insinuate that ebay has always been carefully crafting their server
> pages to achieve the highest security possible? Are you suggesting that
> ebay protects their customers by fixing known bugs immediately?[/color]

Not "always" and "immediatel y", but "most of the time" and "with a
reasonable delay".
[color=blue]
> I don't think so! They just got away with it. There have been numerous
> reports how the security on ebay is flawed.[/color]

Ahh -- but there are also reports that security holes on eBay have been
fixed. However, this is going straight OT. Please let us continue it
elsewhere, if ever.


PointedEars

P.S.: In private mails, you may also write in German.
P.P.S.: Don't use "(war: ...)" in subjects but "(was: ...)".
The latter form is also common and supported in de.ALL.
--
I hear, and I forget; I see, and I remember; I do, and I understand.
-- Chinese proverb

Re: ebay and security

Hello!

Thomas 'PointedEars' Lahn wrote:[color=blue][color=green]
>> Do you insinuate that ebay has always been carefully crafting their
>> server pages to achieve the highest security possible? Are you suggesting
>> that ebay protects their customers by fixing known bugs immediately?[/color]
>
> Not "always" and "immediatel y", but "most of the time" and "with a
> reasonable delay".[/color]

How can you say that? Do you care? You don't even have an account on ebay!

To be on topic: regarding javascript security on ebay, I recommend you go to
http://www.wortfilter.de and enter "javascript " in the search form on the
top right corner of the page.

Cheers
Daniel

Re: ebay and security

Daniel Kabs wrote:
[color=blue]
> Thomas 'PointedEars' Lahn wrote:[color=green][color=darkred]
>>> Do you insinuate that ebay has always been carefully crafting their
>>> server pages to achieve the highest security possible? Are you
>>> suggesting that ebay protects their customers by fixing known bugs
>>> immediately?[/color]
>> Not "always" and "immediatel y", but "most of the time" and "with a
>> reasonable delay".[/color]
>
> How can you say that?[/color]

Because I think positive. Perhaps this is a misunderstandin g regarding
the word "(to) suggest".
[color=blue]
> Do you care?[/color]

Yes, I do.
[color=blue]
> You don't even have an account on ebay![/color]

Correct.
[color=blue]
> To be on topic: regarding javascript security on ebay, I recommend you go
> to http://www.wortfilter.de and enter "javascript " in the search form on
> the top right corner of the page.[/color]

Interesting, but nothing really new there.


PointedEars
--[color=blue]
> Nach und nach verschwinden in einem größeren Word-Dokument[/color]
Das ist ein Programm zum Briefe-Schreiben. Nimm das einfach
zur Kenntnis. Es gibt keine groesseren Word-Dokumente, nur
Dokumente, die zu gross sind fuer Word. -- BGKS Kulms in fch