Closed
Bug 1356995
Opened 7 years ago
Closed 7 years ago
Preflight request when withcredentials is supplied with post/get methods
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: huynhok.uit, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170330221232 Steps to reproduce: 1. Create web server with Access-Control-Allow-Origin: * 2. Send xhr get request with body and credentials to server and then see response and console tab Actual results: 1. It sent request successfully and response available now. 2. Browser prevents xhr from reading response but request's succeeded. I know that get's simple request but if get has body data, noway to cause open new tab with body data in get. Then if get's critial action or cached authorized data, it can be made from unauthenticated user. Expected results: When withcredentials's supplied, browsers allways sends preflight request firstly.
|
||
Comment 1•7 years ago
|
||
Christoph, is this something you could take a look at?
Group: firefox-core-security → core-security
Component: Untriaged → Security
Flags: needinfo?(ckerschb)
Product: Firefox → Core
|
Reporter | |
Comment 2•7 years ago
|
||
I notice that with POST request via xhr example:
xhr = new XMLHttpRequest();
xhr.open('POST','target',true);
xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xhr.withCredentials = true;
xhr.send('payload');
The request is made and sent success full to web server. The attacker doesnot know response, but request's succeeded.|
|
Reporter | |
Comment 3•7 years ago
|
||
I forgot mention that POST above is always successful with or without Access-Control-Allow-Origin in response.
|
||
Comment 4•7 years ago
|
||
(In reply to [Out of Office Until 24-April] Ryan VanderMeulen [:RyanVM] from comment #1) > Christoph, is this something you could take a look at? Unfortunately I am too busy with other things right now. Can someone from the Necko folks have a look?
Flags: needinfo?(ckerschb) → needinfo?(mcmanus)
|
||
Comment 5•7 years ago
|
||
Can you help me understand why this is a security restricted bug? I may be misunderstanding. My understanding is that you provide the code from comment 2, and it seems to work on a network level (i.e. it is not preflighted because it is a simple request and the POST actually happens and returns a 200 response code along with access-control-allow-origin).. but the xhr does not see the response body? What is the security issue there? (or where is my misunderstanding?) Is the issue simply that the response is missing access-control-allow-credentials: true https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials ?
Flags: needinfo?(mcmanus) → needinfo?(huynhok.uit)
|
|
Reporter | |
Comment 6•7 years ago
|
||
Hi McManus, I pointed that if the request is made, then it sent to server successfully, the attacker doesnot know result but request is still succeeded with credentials. The result from server is unpredictable, it's depent on how the type of attack. When we send preflight request firstly, we will prevent from request's sent successfully with credentials.
Flags: needinfo?(huynhok.uit)
|
|
Reporter | |
Comment 7•7 years ago
|
||
In example, update user infomation context or update somethings, the attacker sent request and then wait for result from server for further attack.
|
|
||
Comment 8•7 years ago
|
||
Thank you - I have one more question to be sure I understand why you filed the bug. Are you saying that you believe that CORS should not treat the transaction in comment 2 as a simple (non-preflighted) request because of withCredentials = true?
Flags: needinfo?(huynhok.uit)
|
|
Reporter | |
Comment 9•7 years ago
|
||
Yes, when withCredentials = true, it should not be treated as simple request.
Flags: needinfo?(huynhok.uit)
|
|
||
Comment 10•7 years ago
|
||
This bug should probably be closed and the issue taken up as a standards item - aiui we are doing the correct thing and this is well known information but I freely admit sometimes I cannot keep all the CORS rules in my head. Let's have anne make the final determination of the bug.
Flags: needinfo?(annevk)
|
||
Comment 11•7 years ago
|
||
Yeah, comment 2 is also possible with <form> (which also includes credentials and doesn't do a preflight) and therefore CORS allows such requests including credentials and without preflight as well.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(annevk)
Resolution: --- → INVALID
|
|
Reporter | |
Comment 12•7 years ago
|
||
But how about get with body data Anne ?
GET /secret/change_me
{
data
}
|
||
Comment 13•7 years ago
|
||
Unhiding per Anne's request. FWIW, I agree with Anne and Patrick.
Group: core-security
|
|
||
Comment 14•7 years ago
|
||
Quoting https://fetch.spec.whatwg.org/#general > The CORS protocol consists of a set of headers that indicates whether a response can be shared cross-origin. > > For requests that are more involved than what is possible with HTML’s form element, a CORS-preflight request is performed, to ensure request’s current url supports the CORS protocol. Everything you suggest is possible with a <form> attribute. Including the GET request.
|
|
||
Comment 15•7 years ago
|
||
Did you test GET with a body? The body won't be there in the actual request. It's silently dropped for GET/HEAD per the Fetch Standard.
|
|
Reporter | |
Comment 16•7 years ago
|
||
Get with body data not is parameter get, I cannot find any example for html form. But I agree that it's rare case.
|
|
Reporter | |
Comment 17•7 years ago
|
||
No Anne, Elastich Search uses GET body, bro.
|
|
Reporter | |
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 18•7 years ago
|
||
Please stay respectful. I'm not disputing that GET with a body is a thing, I'm disputing that it's a thing in browsers.
|
|
Reporter | |
Comment 19•7 years ago
|
||
I'm sorry, I see :)
You need to log in
before you can comment on or make changes to this bug.
Description
•