[WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

Brian Eaton eaton.lists at gmail.com
Mon Jun 26 13:29:25 EDT 2006


On 6/26/06, Gervase Markham <gerv at gerv.net> wrote:
> The reason that this is a complete non-starter is not due to any
> security failing, but because it has the potential to break the web.
>
> One of the key properties of the web is that anyone can link to
> anywhere. If sites are allowed to start dictating who can link to them,
> and browsers agree to cooperate with that dictation in the name of
> security, then the web as we know it will be ended.

This is a good point.  A few comments on it:

I don't think there is an incentive for CSL policy to be abused.  The
vast majority of web sites are *happy* when people link to them, they
don't want to prevent it.  If I am wrong about the incentive structure
here, then CSL policy could definitely have some unintended
consequences.

There are mechanisms used today to prevent cross-site linking, such as
referer header checks, and frame busting code.  So CSL policy doesn't
actually change what is possible, it just makes it easier.

Would you agree that there are legitimate reasons for me to block
links from arbitrary sites to certain pages on my site?

> > Here's an example of what I'm thinking of:
> > - Browser begins following a link from
> > http://source.start.com/source.html to
> > http://dest.finish.com/dest.html.
> > - Browser downloads http://dest/cslpolicy.xml, or uses a cached copy
> > of the policy.
>
> So every single cross-site link into a site would lead to a hit or, much
> more likely, a 404 on cslpolicy.xml?
>
> We have enough trouble with this sort of thing with favicon.ico...
> Server ops hate their error logs being filled.

Good point.  404 responses for the cslpolicy.xml file would have to be
cached.  (I ought to check what the HTTP spec says about that idea...)
 Assuming the browser is permitted to cache the response, you wouldn't
see hits for cslpolicy.xml for every cross-site link.  Just the first
cross-site link a given user follows.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list