Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Examples are inconsistent about http vs https #19

Open
davidben opened this issue Jan 21, 2020 · 3 comments
Open

Examples are inconsistent about http vs https #19

davidben opened this issue Jan 21, 2020 · 3 comments

Comments

@davidben
Copy link

Example 1 says the router management site is deployed at http://admin:admin@router.local/set_dns. However, the example later uses an iframe to https://admin:admin@router.local/set_dns in the attack.

Example 3 says the internal link-shortening service is at https://go/. The next paragraph then talks about clicking http://go/* links. It then goes back to talking about leaking https://go/shortlink.

Given intranet sites tend not to use https, I'm guessing all of these were meant to be http?
@jyasskin
Copy link
Member

Switching Example 1 to consistently use http:// makes it rely on mixed content blocking instead of the new CORS preflight. Switching csrf.attack to also use http makes the example rely on the secure context restriction instead of the new CORS preflight. To exercise the CORS preflight, the internal IP server needs to actually use HTTPS, but then the router example isn't realistic since home routers can't run a publicly-trusted HTTPS server with a usable DNS name.

Example 3 can probably accommodate http://go/ since mixed content doesn't block https->http navigations. That'll prevent the redirector from redirecting to any local services because of the secure context restriction. If #39 happens, it also won't be able to redirect to any private addresses.

@davidben
Copy link
Author

Oh huh, good point. Now that even passive mixed content is blocked, does this mean the address space preflight is mostly navigation-only? (That and more complex intranet examples where private services can actually deploy HTTPS.)

I guess, in the description of example 1, top-level navigation works just as well as an attack vector (the example says "by navigating to http://admin:admin@router.local/set_dns and passing in various GET parameters"). So the preflight is still load-bearing here, but it is a little unsatisfying to use navigation in both examples.

@letitz
Copy link
Collaborator

letitz commented Apr 6, 2021

It's true that https://router.local is not currently possible. We can instead describe something like Plex's scenario: https://abcdefgh.nas.example?

I agree that it would be best to showcase an example for both kinds of requests: subresources and navigations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jyasskin @davidben @letitz