WebApp Sec mailing list archives
RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash"
From: "James Pujals" <james.pujals () sterlingpayment com>
Date: Thu, 27 Jul 2006 14:07:44 -0400
It's trivial for the attacker to forge any HTTP request header when the attacker is in DIRECT contact with the web server. And I think that's what you refer to, as well as the OWASP text you quoted. But the picture was considered to be significantly different when the attacker was NOT in direct contact with the server. That is, the attacker is able to serve malicious HTML content to the victim, who uses a browser. In such scenario, the attacker is limited to whatever the victim's browser can do across domains. And that's very limited (well, unless you throw in Flash...). Sure, you can send requests to URLs with any parameters (and that's quite interesting in itself, see today's message - http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00086.html), but until this week, there was no control over the HTTP request headers that are sent across domain (well, you could inject data into some parts of the Referer header - not the entire host though, and you could control part of the host header, but not much beyond that). This browser limitation is what I meant when I wrote "implicit assumption". I hope that clarifies my statements. << Thanks for your response and clarification. Perhaps I'm missing something, but I do not see how this particular vehicle of attack changes the original known threat. Are you implying that the user (whose browser renders the malicious flash unknowingly) is open to new risks by this mechanism? As I understood your original report, the threat was on the web application itself (and thus your comment about how they shouldn't rely on the inviolability of the HTTP headers), and if so, it is just the same threat as I mentioned before. I'm not trying to challenge your argument, I'm just trying to understand it better, as I may be understanding it. In any case, your findings are certainly interesting, and something that should be addressed not only by browser implementors, but by Adobe on its Flash framework (and of course, by web developers, but I take that as a given). -dZ. ------------------------------------------------------------------------- Sponsored by: Watchfire AppScan 6.5 is now available! New features for Web Services Testing, Advanced Automated Capabilities for Penetration Testers, PCI Compliance Reporting, Token Analysis, Authentication testing, Automated JavaScript execution and much more. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc -------------------------------------------------------------------------
Current thread:
- Write-up by Amit Klein: "Forging HTTP request headers with Flash" Amit Klein (AKsecurity) (Jul 24)
- ERRATA (Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash") Amit Klein (AKsecurity) (Jul 26)
- RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash" James Pujals (Jul 27)
- RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash" Amit Klein (AKsecurity) (Jul 27)
- RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash" James Pujals (Jul 27)
- RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash" Amit Klein (AKsecurity) (Jul 27)
- RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash" Amit Klein (AKsecurity) (Jul 27)