IETF Logo Mail Archive

Re: [OAUTH-WG] Web apps BCP feedback

Jim Manico <jim@manicode.com> Sat, 25 September 2021 17:20 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1F73A1B26 for <oauth@ietfa.amsl.com>; Sat, 25 Sep 2021 10:20:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6t9fYosBshu for <oauth@ietfa.amsl.com>; Sat, 25 Sep 2021 10:19:57 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E31E03A1B25 for <oauth@ietf.org>; Sat, 25 Sep 2021 10:19:57 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id m26so11737198pff.3 for <oauth@ietf.org>; Sat, 25 Sep 2021 10:19:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=5Ue+dftUlEMlOnwQdK9HaUxAmwfViIv2w1acWTZTyaA=; b=oS5OIv3P8MR0LyqbqCNerEC3GfHSakhbpSnanUaILnQL5eUZVks+qgw7DBtrpJ1uxI XBkXjSbkzdTlNaC9tNsnxQB/j0RwvsqUZEP/8ebghL/YjKfTwCQ2bXzDNS4buiLupcMF Kk3X+JrzBtUoL5XoDPohQKhtzq1+gU+tzuC74lmV5c5HX0VuuJwpek3PvkuoijD9ihTn vinBUj4SkELAwvAAFv9uS0lZkxM8IZu+PZKnW9aPa5H4q3jdh/0YYmwtdXQEMG+k/pyw UYBEg6cWNKkJeW4Zpmcv1P66a0jjh/wtR0zsl8Sxyw/8nXcitB4b+51k7KUMPHH58WwO bxow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=5Ue+dftUlEMlOnwQdK9HaUxAmwfViIv2w1acWTZTyaA=; b=mDHvEXrJX/zLEKNswJ3SnUhcXv49leYo1owviwIK/a1f35hFsS65y5Y6JDKHqAcLb0 GFERWrqNBcL610X418TJsZfMHaBx8UOzeVcUGMeQ/93gsAQbdtn5FUim6fvEUUUd7ZUQ YlsAhC0Uf1mUCUQY6EmiSwCbakyRIyBGI5JQqhCl3C3RD+vJ0/8xKPqHCTyOCyxeeJHg +l9xIdSibbTPkNMbJgnYi4m7ffxDl/Ks0CT4bjshHgg5Mx5lzTIhq5KJ5vA+2XXYvEbp HGzpAombQ/uFtTCMAZwoFegNLtRsmpX5DGhbBSZu6FI/2zgsXLBp4eLsPJ9PEK/O2Q6T MrTg==
X-Gm-Message-State: AOAM531aKPYfHFDiwjKNEeUA+TJw+iyNhOeboC3bOqImUtNoA+PbUMoo Q9GvDMoJ5mBIAzfo2dAQOe3d/9ANcfIQJg==
X-Google-Smtp-Source: ABdhPJxf+Ab0mCOrTE9L8ZImTjf83DIHW+cDAN15vY9CzIuVudtz9aSnYIVdI22O/8RoYo8EZ/UEjQ==
X-Received: by 2002:a63:4e65:: with SMTP id o37mr9163094pgl.202.1632590396680; Sat, 25 Sep 2021 10:19:56 -0700 (PDT)
Received: from smtpclient.apple (204-210-127-015.res.spectrum.com. [204.210.127.15]) by smtp.gmail.com with ESMTPSA id y204sm12047783pfc.100.2021.09.25.10.19.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 25 Sep 2021 10:19:55 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-FDBDA01B-A698-4691-9D83-0FA6E64C0A85"
Content-Transfer-Encoding: 7bit
From: Jim Manico <jim@manicode.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 25 Sep 2021 07:19:54 -1000
Message-Id: <2EA892D6-D2F5-46AA-9B03-63F7AC4C5A69@manicode.com>
References: <CAO7Ng+sEnFxdVhwqc0YmAhWv2k48_KfreS_m_uXH=xeA9HZEOQ@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
In-Reply-To: <CAO7Ng+sEnFxdVhwqc0YmAhWv2k48_KfreS_m_uXH=xeA9HZEOQ@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
X-Mailer: iPhone Mail (19A346)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Mx91WWJvgJcyMdw9YZ94MYCJD18>
Subject: Re: [OAUTH-WG] Web apps BCP feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2021 17:20:03 -0000

If someone has taken over a subdomain in the ways described, that is not cross site request forgery since the attack is occurring from within your site. It’s more likely XSS that allows for cookie clobbering or similar, or just malicious code injected by the malicious controller of your subdomain. This is not strictly CSRF nor are these problems protected from any other standard form of CSRF defense.

CSRF is Cross Site attack where the attack is hosted on a different domain. 

--
Jim Manico

> On Sep 25, 2021, at 1:07 AM, Dominick Baier <dbaier@leastprivilege.com> wrote:
> 
> 
> In 6.1 it says
> 
> "Additionally, the SameSite cookie attribute can be used to	
>  	   prevent CSRF attacks, or alternatively, the application and API could	
>  	   be written to use anti-CSRF tokens.”
> 
> “Prevent” is a bit strong.
> 
> SameSite only restricts cookies sent across site boundaries Iit does not prevent CSRF attacks from within a site boundary. Scenarios could be a compromised sub-domain, like sub-domain takeover or just some vulnerable application co-located on the same site.
> 
> thanks
> ———
> Dominick Baier
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.35.0 | Report a Bug | By Email | System Status