Re: [quicwg/base-drafts] Request forgery attacks (#3995)
Martin Thomson <notifications@github.com> Thu, 13 August 2020 09:51 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA853A0AE3 for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 02:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.101
X-Spam-Level:
X-Spam-Status: No, score=-3.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDS3iGTaafVA for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 02:51:56 -0700 (PDT)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BFD03A0AC7 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 02:51:56 -0700 (PDT)
Received: from github-lowworker-f045d1f.ac4-iad.github.net (github-lowworker-f045d1f.ac4-iad.github.net [10.52.19.54]) by smtp.github.com (Postfix) with ESMTP id B283E600044 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 02:51:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1597312315; bh=weYCR3K7owhqFYd0jm5QMj1ym1VEbt5KR/+gtpEKoZ4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ZCVRrmfWzy9LIHu/Wf11uNZa6pFpWBWQTE9LnlrLUPLytIdsFDm2sGlVIwxedD5S2 YXWy7tduCEcpoyHyVjaM8SDHtWI1pZIa5x5Wh6GhTg/MVKvs8TLCuNSASHDq6m3Z5/ DGLQE0IYJ1PXIS9X5FuVqF9GZi+i52FTXfc1TgbU=
Date: Thu, 13 Aug 2020 02:51:55 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6XI3A3SORJ5PVTSFV5IDXDXEVBNHHCQYGADU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3995/673381284@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3995@github.com>
References: <quicwg/base-drafts/issues/3995@github.com>
Subject: Re: [quicwg/base-drafts] Request forgery attacks (#3995)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f350d3b9fb71_47f316f81779bc"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/G1QKp3sNA_KxJYIcLp7N1gb_rWk>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 09:51:58 -0000
@mikkelfj > In the issue you mention loopback but then goes on to use a local router address. > I was thinking loopback was on the clients machine. Yes, loopback is same host. But local router addresses (the example was just an address from a private address range), are also potentially vulnerable. > It is often the case that documentation servers run on localhost to display content, and some applications may be written to either directly use a browser interface, or indirectly via electron, to a locally hosted server. Yes, but those servers rarely take instructions that have any real consequence, so they don't tend to be exploitable. That's not uniformly true of course. > These type of applications are generally not hardened and therefore comparatively easy to exploit. In the worst case, such applications insist on running on port 80 or some other privileged port, thereby having elevated permissions. Privileged ports can mean that the process serving that port is privileged, yes. But it doesn't have to mean that. Of course, if it is, then it can potentially do a lot of harm. > But, how does this new attack differ from a HTTP redirect from a random web server, where part of the url is designed til trigger a vulnerability? One thing with HTTP is that we don't really protect against this sort of thing very well. Mostly because the Internet and Web grew up together and people more or less assumed at first that this sort of thing was OK. So we generally allow attackers to make requests over HTTP. But it's only a subset of requests that are designated as "safe". Later, as we realized that some of the HTTP stuff was dangerous we added CORS. For those things we believe to be "dangerous", CORS effectively does the same thing that address validation does for QUIC: it checks whether the server is willing to accept a request using a "safe" check (an OPTIONS request which includes minimal attacker controlled content) before it makes any request with any of the "dangerous" content that might be controlled by an attacker. Of course, we would love not to have to do CORS. It's a horrible waste when most servers don't suffer from these problems to spend a whole round trip negotiating its use. The CSRF paper mentioned in the pull request is the one that basically started all of this. It's fairly accessible if you are interested in learning more. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/3995#issuecomment-673381284
- [quicwg/base-drafts] Request forgery attacks (#39… Martin Thomson
- Re: [quicwg/base-drafts] Request forgery attacks … MikkelFJ
- Re: [quicwg/base-drafts] Request forgery attacks … Kazuho Oku
- Re: [quicwg/base-drafts] Request forgery attacks … Kazuho Oku
- Re: [quicwg/base-drafts] Request forgery attacks … Martin Thomson
- Re: [quicwg/base-drafts] Request forgery attacks … MikkelFJ
- Re: [quicwg/base-drafts] Request forgery attacks … Mike Bishop
- Re: [quicwg/base-drafts] Request forgery attacks … Martin Thomson
- Re: [quicwg/base-drafts] Request forgery attacks … Kazuho Oku
- Re: [quicwg/base-drafts] Request forgery attacks … Mike Bishop
- Re: [quicwg/base-drafts] Request forgery attacks … Lucas Pardue
- Re: [quicwg/base-drafts] Request forgery attacks … Jana Iyengar