[cap-talk] CORS and GIFAR attacks
Adam Barth
cap-talk at adambarth.com
Wed Oct 7 12:10:44 EDT 2009
On Wed, Oct 7, 2009 at 7:03 AM, Toby Murray <tobycmurray at googlemail.com> wrote:
> Many here thought that the proposal was not the right way to solve
> cross-site request forgery and similar attacks. However, there was some
> difficulty coming up with a widespread example of where CORS would fail.
CORS does not attempt to solve the cross-site request forgery problem.
> I haven't looked again at CORS since it was discussed, but to me this [GIFAR] would
> appear to break it. Can anyone confirm that?
Yes. GIFAR breaks all browser security mechanisms because the
attacker gets to run arbitrary script with the privileges of the
victim web site. We shouldn't view this as a problem with CORS but as
a problem with GIFAR or the web security model in general.
> More generally, can anyone more familiar with web security comment on
> whether this appears to be a valid threat?
More practitioners would not consider this a threat in the CORS threat
model in the same way we wouldn't consider an arbitrary code execution
vulnerability in the browser to be in the CORS threat model.
> * Note that the attack works for other formats as well, including other
> images like jpeg, png etc. as well as e.g. shockwave flash .swf too. [2]
If you're interested in this kind of attack, you might be interested
in reading this paper:
http://www.adambarth.com/papers/2009/barth-caballero-song.pdf
Adam
More information about the cap-talk
mailing list