Preflight request when withcredentials is supplied with post/get methods

VERIFIED INVALID

Status

()

VERIFIED INVALID
2 years ago
2 years ago

People

(Reporter: huynhok.uit, Unassigned)

Tracking

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170330221232

Steps to reproduce:

1. Create web server with Access-Control-Allow-Origin: *
2. Send xhr get request with body and credentials to server and then see response and console tab


Actual results:

1. It sent request successfully and response available now.
2. Browser prevents xhr from reading response but request's succeeded.
I know that get's simple request but if get has body data, noway to cause open new tab with body data in get. Then if get's critial action or cached authorized data, it can be made from unauthenticated user.


Expected results:

When withcredentials's supplied, browsers allways sends preflight request firstly.
Christoph, is this something you could take a look at?
Group: firefox-core-security → core-security
Component: Untriaged → Security
Flags: needinfo?(ckerschb)
Product: Firefox → Core
(Reporter)

Comment 2

2 years ago
I notice that with POST request via xhr example:
xhr = new XMLHttpRequest();
xhr.open('POST','target',true);
xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send('payload');

The request is made and sent success full to web server. The attacker doesnot know response, but request's succeeded.
(Reporter)

Comment 3

2 years ago
I forgot mention that POST above is always successful with or without Access-Control-Allow-Origin in response.
(In reply to [Out of Office Until 24-April] Ryan VanderMeulen [:RyanVM] from comment #1)
> Christoph, is this something you could take a look at?

Unfortunately I am too busy with other things right now. Can someone from the Necko folks have a look?
Flags: needinfo?(ckerschb) → needinfo?(mcmanus)
Can you help me understand why this is a security restricted bug? I may be misunderstanding.

My understanding is that you provide the code from comment 2, and it seems to work on a network level (i.e. it is not preflighted because it is a simple request and the POST actually happens and returns a 200 response code along with access-control-allow-origin).. but the xhr does not see the response body? What is the security issue there? (or where is my misunderstanding?)

Is the issue simply that the response is missing access-control-allow-credentials: true https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials ?
Flags: needinfo?(mcmanus) → needinfo?(huynhok.uit)
(Reporter)

Comment 6

2 years ago
Hi McManus,

I pointed that if the request is made, then it sent to server successfully, the attacker doesnot know result but request is still succeeded with credentials. The result from server is unpredictable, it's depent on how the type of attack.

When we send preflight request firstly, we will prevent from request's sent successfully with credentials.
Flags: needinfo?(huynhok.uit)
(Reporter)

Comment 7

2 years ago
In example, update user infomation context or update somethings, the attacker sent request and then wait for result from server for further attack.
Thank you - I have one more question to be sure I understand why you filed the bug.

Are you saying that you believe that CORS should not treat the transaction in comment 2 as a simple (non-preflighted) request because of withCredentials = true?
Flags: needinfo?(huynhok.uit)
(Reporter)

Comment 9

2 years ago
Yes, when withCredentials = true, it should not be treated as simple request.
Flags: needinfo?(huynhok.uit)
This bug should probably be closed and the issue taken up as a standards item - aiui we are doing the correct thing and this is well known information but I freely admit sometimes I cannot keep all the CORS rules in my head. Let's have anne make the final determination of the bug.
Flags: needinfo?(annevk)

Comment 11

2 years ago
Yeah, comment 2 is also possible with <form> (which also includes credentials and doesn't do a preflight) and therefore CORS allows such requests including credentials and without preflight as well.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(annevk)
Resolution: --- → INVALID
(Reporter)

Comment 12

2 years ago
But how about get with body data Anne ?
GET /secret/change_me
{
data
}
Unhiding per Anne's request. FWIW, I agree with Anne and Patrick.
Group: core-security
Quoting https://fetch.spec.whatwg.org/#general
> The CORS protocol consists of a set of headers that indicates whether a response can be shared cross-origin.
> 
> For requests that are more involved than what is possible with HTML’s form element, a CORS-preflight request is performed, to ensure request’s current url supports the CORS protocol. 

Everything you suggest is possible with a <form> attribute. Including the GET request.

Comment 15

2 years ago
Did you test GET with a body? The body won't be there in the actual request. It's silently dropped for GET/HEAD per the Fetch Standard.
(Reporter)

Comment 16

2 years ago
Get with body data not is parameter get, I cannot find any example for html form. But I agree that it's rare case.
(Reporter)

Comment 17

2 years ago
No Anne, Elastich Search uses GET body, bro.
(Reporter)

Updated

2 years ago
Status: RESOLVED → VERIFIED

Comment 18

2 years ago
Please stay respectful.

I'm not disputing that GET with a body is a thing, I'm disputing that it's a thing in browsers.
(Reporter)

Comment 19

2 years ago
I'm sorry, I see :)
You need to log in before you can comment on or make changes to this bug.