[cap-talk] CORS and GIFAR attacks
Adam Barth
cap-talk at adambarth.com
Wed Oct 7 12:37:32 EDT 2009
On Wed, Oct 7, 2009 at 9:26 AM, Sandro Magi <naasking at higherlogics.com> wrote:
> Adam Barth wrote:
>> Yes. GIFAR breaks all browser security mechanisms because the
>> attacker gets to run arbitrary script with the privileges of the
>> victim web site. We shouldn't view this as a problem with CORS but as
>> a problem with GIFAR or the web security model in general.
>
> And yet, I can't help but note that the unique token approaches
> suggested by myself and David Chizmadia would not be vulnerable to any
> such attacks, since we already assume that the client may be hostile.
If I'm able to mount a GIFAR attack, then I already have all the
privileges I could possibly obtain via CORS. In particular, if
there's some attack I can mount in a browser that supports CORS, then
I can mount that attack in a browser that doesn't support CORS. For
this reason, there isn't anything CORS can do to mitigate this threat.
Adam
More information about the cap-talk
mailing list