ES4 Security

Steven Mascaro subs at voracity.org
Tue May 20 00:24:02 PDT 2008 

On Mon, May 19, 2008 at 11:54 PM, Mike Shaver <mike.shaver at gmail.com> wrote:
> On Sun, May 18, 2008 at 10:50 AM, Steven Mascaro <subs at voracity.org> wrote:
>> For example, suppose that it were possible to retrieve the text of any
>> <script src="..."></script> element using '.textContent' from
>> javascript, regardless of origin. You'll agree that this is
>> unthinkable today. But I assume you'll also agree that there is no
>> security problem in doing this if no cookies (or other private data)
>> are sent in the initial request to retrieve the script page?
>
> I wouldn't make that assumption, and I doubt that Brendan would agree.
>
> http://publicsite.com/lolhax.html containing <script
> src="http://intranet/internallyPublicResource?format=json"></script>,
> for example.

Point taken. I remember worrying about this with the intranet I
manage, so I made every (generated) page require authentication. But
granted, not everyone will do this.

Still, there are some arguments against this (and for urging intranet
developers to use authentication):

1) Sensitive JS functions and variables are still exposed in the same way
2) Various privileged actions can still be performed, such as
accessing or posting to URLs that trigger internal actions
3) "Fishing" style attacks have very low returns because internal URLs
are difficult to guess. They will be easy to guess for either major
intranet packages or major organisations, but those *must* use
authentication anyway (see 1 & 2)
4) The vast bulk of JSON data delivered this way will be customised to
the user, and hence involve cookies (yes, I am myopic, aren't I? :) ).
Anything not customised to the user is unlikely to contain sensitive
data (because it will be available to anyone with access to the
intranet --- from managers to work experience kids). Granted, there
will be developers who think 'programming code' means 'invisible', but
those developers will either be bitten by much harder problems soon
enough, or won't encounter any problems at all because their code is
not used by enough people

Again, though, I feel that this is an example of 'private data' abuse
by a 3rd party (where the private data here are credentials). I get
panicky every time I do something as simple as *linking* to a public
website from an intranet page (and hence use anonymous redirects). I
would much prefer if it were not possible to mix data from two
different networks (in this case, internet/intranet) without being
completely explicit, but I understand that would require some major
changes.

More information about the Es4-discuss mailing list