Network Security: Detailed info on RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash"

Subject:	RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash"
Date:	Thu, 27 Jul 2006 14:07:44 -0400

It's trivial for the attacker to forge any HTTP request header when the 
attacker is in
DIRECT contact with the web server. And I think that's what you refer to, as 
well as the
OWASP text you quoted.

But the picture was considered to be significantly different when the attacker 
was NOT in
direct contact with the server. That is, the attacker is able to serve 
malicious HTML
content to the victim, who uses a browser. In such scenario, the attacker is 
limited to
whatever the victim's browser can do across domains. And that's very limited 
(well, unless
you throw in Flash...). Sure, you can send requests to URLs with any parameters 
(and that's
quite interesting in itself, see today's message -
http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00086.html), but 
until this
week, there was no control over the HTTP request headers that are sent across 
domain (well,
you could inject data into some parts of the Referer header - not the entire 
host though,
and you could control part of the host header, but not much beyond that). This 
browser
limitation is what I meant when I wrote "implicit assumption".

I hope that clarifies my statements.
<<
 
Thanks for your response and clarification.  Perhaps I'm missing something, but 
I do not see how this particular vehicle of attack changes the original known 
threat.  Are you implying that the user (whose browser renders the malicious 
flash unknowingly) is open to new risks by this mechanism?  As I understood 
your original report, the threat was on the web application itself (and thus 
your comment about how they shouldn't rely on the inviolability of the HTTP 
headers), and if so, it is just the same threat as I mentioned before.
 
I'm not trying to challenge your argument, I'm just trying to understand it 
better, as I may be understanding it.
 
In any case, your findings are certainly interesting, and something that should 
be addressed not only by browser implementors, but by Adobe on its Flash 
framework (and of course, by web developers, but I take that as a given).
 
     -dZ.

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan 6.5 is now available! New features for Web Services Testing, 
Advanced Automated Capabilities for Penetration Testers, PCI Compliance 
Reporting, Token Analysis, Authentication testing, Automated JavaScript 
execution and much more. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Write-up by Amit Klein: "Forging HTTP request headers with Flash", Amit Klein (AKsecurity) ERRATA (Re: Write-up by Amit Klein: "Forging HTTP request headers with Flash"), Amit Klein (AKsecurity) RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", James Pujals RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", Amit Klein (AKsecurity) RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", James Pujals <= RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", Amit Klein (AKsecurity)

Previous by Date:	RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", Amit Klein (AKsecurity)
Next by Date:	RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", James Pujals
Previous by Thread:	RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", Amit Klein (AKsecurity)
Next by Thread:	RE: Write-up by Amit Klein: "Forging HTTP request headers with Flash", Amit Klein (AKsecurity)
Indexes:	[Date] [Thread] [Top] [All Lists]