[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Add resolve-relative-reference in (web uri), as in RFC 3986
From: |
Maxime Devos |
Subject: |
Re: [PATCH] Add resolve-relative-reference in (web uri), as in RFC 3986 5.2. |
Date: |
Wed, 4 Oct 2023 00:22:21 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 |
Op 03-10-2023 om 22:03 schreef Vivien Kraus:
Hello!
Le lundi 25 septembre 2023 à 22:46 +0200, Maxime Devos a écrit :
However, there are also some dangers on doing this
thing -- the ‘external’ pagehttps://example.com/data.json could
redirect to
http://localhost/unsecured-secret-but-its-localhost-only-so-it-is-safe
.
Since you want to warn users about this problem, I have to first
understand why it is a problem at all. Your example literally ends with
"so it is safe", and I fail to see why it would be a problem. Could you
elaborate?
The 'so-it-is-safe' is ironic, as in,
‘so-naively-you-might-have-thought-it-was-safe-but-it-isnt'..
More concretely, here is how things could be used for a data
exfiltration attack:
Let's say that user U has a local web server (localhost), on which
passwords are saved.
Furthermore, let's say that U locally runs software that periodically
downloads https://secretly-evil-or-compromised.com/page and uploads a
copy to https://somewhere-public.org. (For example, maybe U wants to
know how secretly-evil-or-compromised.com/page evolves over time, and
shares the results with other people.)
The attacker, who controls secretly-evil-or-compromised.com, adjusts the
server to redirect https://secretly-evil-or-compromised.com/page to
http://localhost/passwords.
Now, next time the software is run, the software notices the redirect
https://secretly-evil-or-compromised.com/page ->
http://localhost/passwords, so it naively follows the redirect and now
the passwords are copied to a public web page that the attackers can
access, even though supposedly the passwords were localhost-only!
For another attack, see
<https://about.gitlab.com/blog/2021/09/07/why-are-developers-vulnerable-to-driveby-attacks/>.
Best practices against this are two-fold:
* redirections are not followed across ‘scopes’
(e.g., global internet website -> localhost website is forbidden).
This can be quite complex, but at least some cases are handled by
Firefox, IIRC.
In case of browsers, there are also XSS prevention things etc..
The best prevention is not allowing redirects at all or only
allowing redirections that keep the hostname intact -- while an
option for much software, it isn't an option for web browsers.
* web servers don't rely on being not directly inaccessible from the
network for security, instead, they also require things like
cookies, logins, not-technically-a-cookie-but-?secret=something-long.
Best regards,
Maxime.
OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature