Export to GitHub

owasp-esapi-js - issue #9

Extend XMLHttpRequest API to turn off HTML5 Cross Origin Request by default


Posted on Aug 24, 2010 by Happy Panda

The XHR API is capable of making Cross domain calls now thanks to HTML5. There are applications that include user controlled data as the request URL in XHR.open().

This was assumed to be safe because this value could only be set to file hosted on the same domain. But with HTML5 this value can be set to file on an attacker controlled domain. Real life example on touch.facebook.com: http://m-austin.com/blog/?p=19

Server-side ESAPI provides secure equivalent of the request and response object. Similarly ESAPI4JS can provide a secure equivalent of XMLHttpRequest object by turning off support of COR by default(a little similar to this - http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html).

A new property can be added to the extended XHR API called 'cor'. Only if this flag is set would Cross Domain Requests be allowed. As explained towards the end of this post - http://blog.andlabs.org/2010/08/xssing-client-side-dynamic-html.html

Ideally this change must be made to the underlying API itself but until then ESAPI4JS can fill the gap I guess.

Comment #1

Posted on Aug 24, 2010 by Swift Wombat

Definately a good call - I will slot this for the next release

Status: Accepted

Labels:
Type-Enhancement Priority-High