Really, the knee-jerk response to every single closed question on SO isn't terribly useful.
First off, you can still read the question and vote on answers. Since there are already several answers, adding another one would not be very useful anyhow.
Moreover, it's closed as a duplicate. There's an essentially identical question--with essentially the same answer--that's quite a bit older. It makes sense to point people to it so that there's one centralized resource on the topic.
As a duplicate of What??? That's always been my question. I've found it beyond dumb that they don't put the thing they want you to go to at that message. And, they should make it look like a link. Just my $0.02.
The thing that says, "Possible duplicate?" Once they confirm it they should change the wording to say "Duplicate" if that's the one they mean. It just looks like it's unfinished this way.
Wikipedia has shown us what ridiculous bureaucracy does to a community; it's sad that Stackoverflow has been turned into a utterly useless site despite the lessons that could have been learned from Wikipedia.
Every organization becomes controlled by those who serve the organization itself, as opposed to those who perform the actual goal or service of the organization. Schools are controlled by administrators, not the teachers. Wikipedia and other community-sourced internet sites are run by those who desired to acquire power over Wikipedia, not by those who desire to contribute content.
Stackoverflow has been turned into a utterly useless site
It has? It's news to me; I'm constantly finding relevant, useful information whenever I search for almost anything in the area of software development.
If you look at the gmail ajax calls, you'll also see they sometimes put a number in front of their data. Example:
3
[1, 2, 3, 0]
If you execute that in your JS console, it'll return undefined, which threw me for a loop a couple days ago when I saw it. I ended up having it ask on StackOverflow too and it's because JavaScript will interpret it as a property look up on that number object (it will evaluate to 3[0], which evaluates to undefined).
That such hacks are used as security measures makes me think that we've heard far from the last JavaScript exploit.
Now I find that workaround sweet: but it's still a total kludge and that such kludges are used just shows how poorly security has been conceived from the ground up in browsers / JavaScript.
I agree... I mean look at JSONP, that's basically the inverse hack. After all: what's the point of enforcing same-origin-policy in AJAX but ignoring it for <script>?
The actual reason for this is web advertising took off like wildfire, using 3rd party scripts. It was too late to reverse by the time people got concerned about the security model.
Content Security Policy makes all this much more robust in modern browsers.
JSONP lets the server turn off the same-origin policy. If XRFing your data is dangerous, don't use JSONP. But often we don't care about XRF, and the person writing the server is well-placed to know.
This works because the browser will run any third-party script, but it won't expose the raw string constituting the script.
So a malicious website can't steal that content by putting the URL in a script. It will never get to see what's in the script and only a same-domain script could parse the whole contents, by making a XHR call, and strip out the "while 1;" part. In contrast, a regular JSONP string is specifically designed for the third party to read it (by including code to call a callback function).
A lot of people still don't realise you shouldn't be serving private data as JSONP. Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right.
Actually as yoghur points out, CORS doesn't protect against CSRF. A token must be passed for any privileged calls.
That said, a benefit of CORS is the ability to do non-GET methods. So it's safer in the sense of HTTP idempotence, ie you can change server state safely, using POSTs, DELETEs, and so on. You'd still need to pass a token, however.
(Of course I meant cross-domain, not cross-browser :).
I'm a bit perplex why you've chosen to pedantize this particular word choice since "prepend" itself is a portmanteau derived by mashing "pre" and "append" together.
Perhaps the trio of "affix", "prefix" and "suffix" might be more useful, since there is no "postpend" or "suppend" to accompany "append" and "prepend".
This method only works for HTTP GETs, and can't get around requirements to present CSRF tokens with the request. This is one of several possible strategies for guarding against CSRF.
Wouldn't also using a custom HTTP header instead of cookies for passing a session identifier prevent this attack? A script tag can not set headers, right?
Correct me if I'm wrong, but does this not merely allow an attacker to cause the browser to make requests with custom headers? That is, it does not allow the attacker to gain the CSRF token, and if the CSRF token is not known to the attacker, he would still not be able to make API requests.
No. Unblow your mind. Any service which returns sensitive data in JSON via an HTTP get based on the user's cookie is vulnerable. At worst, an attacker would just be able collect the response of a GET on behalf of a visitor to the attacker's site if the user is on a really old browser.
Actually this prevents XSSI (cross-site script inclusion) not XSRF (cross-site request forgery).
XSRF vulnerabilities allow an attacker to issue web requests on a user's behalf; oftentimes though people only call it a vulnerability when you can issue a request that changes some state. And XSRF is usually prevented by including a hard to guess token with the request that is tied to the user and allows you to determine whether the request was generated by an authorized party. Please don't try to prevent XSRF by using while(1) :)
This doesn't protect again using an <img> tag to accomplish the same thing correct? Assume a malicious user wanted to delete something and the URI was formatted like: http://mydomain.com/delete/some-id-here. Then assuming the user is logged in, a simple <img src="http://www.mydomain.com/delete/some-id-here /> on a third party site would execute the request successfully correct?
This is one of the reasons why you never perform any actions which change something over GET. The main reason is so your site doesn't get deleted when the Googlebot visits. (Or more generally, so that web crawlers and other robots don't accidentally mutate the site.)
Using POST is not sufficient; you also need to include an XSRF token that only the requesting page knows. It's very possible to send a POST to a third-party site with about one line of Javascript. (In the relatively early days of Reddit, I wrote a page that upvoted itself by having a JS handler in an invisible iframe resubmit the same link over again, using the visitor's login credentials. At the time, submitting the same link twice on Reddit counted as an upvote, and so merely visiting the page would upvote the link.)
Yes, that solves that. But you should use CSRF. Otherwise someone could have a <form method=POST action="http://mysite.example.com/delete>…</form>; on their site and a javascript that will submit the form upon page load.
If that works then the developer responsible for mydomain.com should be reprimanded for wilful incompetence. And that isn't even the problem the while(1); trick is meant to mitigate.
If I remember correctly, it was first discovered pretty soon after a version of Gecko was introduced with support for setters/getters, and Gecko had minority market share at that time.
This can really be broken because you can redefine the numeric constructor of 1 to return false and thus get around the while(1). However, if for(;;) was used, then you cannot get around it. ;)
not be a coal to warm at, nor fire to sit before it.
47:15 Thus shall they be unto thee with whom thou hast laboured, even
thy merchants, from thy youth: they shall wander every one to his
quarter; none shall save thee.
48:1 Hear ye this, O house of Jacob, which are called by the name of
Israel, and are come forth out of the waters of Judah, which swear by
the name of the LORD, and make mention of the God of Israel, but not
in truth, nor in righteousness.
48:2 For they call themselves of the holy city, and stay themselves
upon the God of Israel; The LORD of hosts is his name.
48:3 I have declared the former things from the beginning; and they
went forth out of my mouth, and I shewed them; I did them suddenly,
and they came to pass.
61 comments
[ 3.2 ms ] story [ 111 ms ] threadGood 'ol stackoverflow
First off, you can still read the question and vote on answers. Since there are already several answers, adding another one would not be very useful anyhow.
Moreover, it's closed as a duplicate. There's an essentially identical question--with essentially the same answer--that's quite a bit older. It makes sense to point people to it so that there's one centralized resource on the topic.
However, I certainly see how it would be useful to have the link in the closed message as well.
http://stackoverflow.com/questions/871505/
Which is, itself a duplicate of this question, which has an even better answer:
http://stackoverflow.com/questions/3146798/
Every organization becomes controlled by those who serve the organization itself, as opposed to those who perform the actual goal or service of the organization. Schools are controlled by administrators, not the teachers. Wikipedia and other community-sourced internet sites are run by those who desired to acquire power over Wikipedia, not by those who desire to contribute content.
It has? It's news to me; I'm constantly finding relevant, useful information whenever I search for almost anything in the area of software development.
3
[1, 2, 3, 0]
If you execute that in your JS console, it'll return undefined, which threw me for a loop a couple days ago when I saw it. I ended up having it ask on StackOverflow too and it's because JavaScript will interpret it as a property look up on that number object (it will evaluate to 3[0], which evaluates to undefined).
Now I find that workaround sweet: but it's still a total kludge and that such kludges are used just shows how poorly security has been conceived from the ground up in browsers / JavaScript.
Content Security Policy makes all this much more robust in modern browsers.
So a malicious website can't steal that content by putting the URL in a script. It will never get to see what's in the script and only a same-domain script could parse the whole contents, by making a XHR call, and strip out the "while 1;" part. In contrast, a regular JSONP string is specifically designed for the third party to read it (by including code to call a callback function).
A lot of people still don't realise you shouldn't be serving private data as JSONP. Thankfully, CORS lets modern browsers go cross-browser safely, even with private data if things are configured right.
Would you clarify or add some pointers to where we can learn about CORS benefits for private data? CSRF is a huge but often underestimated issue.
That said, a benefit of CORS is the ability to do non-GET methods. So it's safer in the sense of HTTP idempotence, ie you can change server state safely, using POSTs, DELETEs, and so on. You'd still need to pass a token, however.
(Of course I meant cross-domain, not cross-browser :).
> safely, even with private data if things are configured right.
CORS does nothing to prevent CSRF attacks, see[1]. We still need to protect against CSRF.
[1]http://www.w3.org/TR/cors/#security
Perhaps the trio of "affix", "prefix" and "suffix" might be more useful, since there is no "postpend" or "suppend" to accompany "append" and "prepend".
Regardless, the Google ngram chart of these various words is pretty interesting: http://books.google.com/ngrams/graph?content=prepend%2Cappen...
http://books.google.com/ngrams/graph?content=pedantize&y...
http://lists.webappsec.org/pipermail/websecurity_lists.webap...
Rails and Django patches/recommendations on the issue: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypas... https://docs.djangoproject.com/en/1.2/releases/1.2.5/#csrf-e...
XSRF vulnerabilities allow an attacker to issue web requests on a user's behalf; oftentimes though people only call it a vulnerability when you can issue a request that changes some state. And XSRF is usually prevented by including a hard to guess token with the request that is tied to the user and allows you to determine whether the request was generated by an authorized party. Please don't try to prevent XSRF by using while(1) :)
Using POST is not sufficient; you also need to include an XSRF token that only the requesting page knows. It's very possible to send a POST to a third-party site with about one line of Javascript. (In the relatively early days of Reddit, I wrote a page that upvoted itself by having a JS handler in an invisible iframe resubmit the same link over again, using the visitor's login credentials. At the time, submitting the same link twice on Reddit counted as an upvote, and so merely visiting the page would upvote the link.)
Security issues are obviously more complex than one-line explanations. Thank you for your more elaborate reply!
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-at...
(http://flask.pocoo.org/docs/security/#json-security)
not be a coal to warm at, nor fire to sit before it.
47:15 Thus shall they be unto thee with whom thou hast laboured, even thy merchants, from thy youth: they shall wander every one to his quarter; none shall save thee.
48:1 Hear ye this, O house of Jacob, which are called by the name of Israel, and are come forth out of the waters of Judah, which swear by the name of the LORD, and make mention of the God of Israel, but not in truth, nor in righteousness.
48:2 For they call themselves of the holy city, and stay themselves upon the God of Israel; The LORD of hosts is his name.
48:3 I have declared the former things from the beginning; and they went forth out of my mouth, and I shewed them; I did them suddenly, and they came to pass.