New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent 401 phishing attacks #504

Open
EdOverflow opened this Issue Jan 10, 2017 · 16 comments

Comments

2 participants
@EdOverflow
Member

EdOverflow commented Jan 10, 2017

The following markdown image should prompt you with an authentication dialog:

![](https://httpbin.org/basic-auth/user/passwd)

This can be used for 401 phishing attacks, where the credentials are sent to an attackers' server.

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Jan 10, 2017

Member

Maybe we should also prevent use of SVG images.

![](http://brutelogic.com.br/poc.svg) <-- Open this image in a new tab.
Member

EdOverflow commented Jan 10, 2017

Maybe we should also prevent use of SVG images.

![](http://brutelogic.com.br/poc.svg) <-- Open this image in a new tab.
@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Jan 10, 2017

Member

Nice find. :-) What solution would you recommend? The only effective one I can think of is to proxy all images. That's pretty much #202.

Member

Changaco commented Jan 10, 2017

Nice find. :-) What solution would you recommend? The only effective one I can think of is to proxy all images. That's pretty much #202.

@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Jan 10, 2017

Member

Note that Firefox does show a warning:

https://httpbin.org is requesting your username and password. WARNING: Your password will not be sent to the website you are currently visiting!

Screenshot:

spectacle h13774

Member

Changaco commented Jan 10, 2017

Note that Firefox does show a warning:

https://httpbin.org is requesting your username and password. WARNING: Your password will not be sent to the website you are currently visiting!

Screenshot:

spectacle h13774

@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Jan 10, 2017

Member

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

Member

Changaco commented Jan 10, 2017

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Jan 10, 2017

Member

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

This is the authentication mechanism for the HTTP Basic Authentication Protocol: http://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/

Member

EdOverflow commented Jan 10, 2017

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

This is the authentication mechanism for the HTTP Basic Authentication Protocol: http://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/

@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Jan 10, 2017

Member

I know what it is, but I see no reason to allow it for images. ;-)

Member

Changaco commented Jan 10, 2017

I know what it is, but I see no reason to allow it for images. ;-)

@Changaco Changaco added the Defense label Jan 10, 2017

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Jan 10, 2017

Member

Oh, sorry. There isn't really a legitimate use of this mechanism in images. For some reason, developers are not interested in fixing this issue.

The only real solution is to proxy all images as suggested in #202.

Member

EdOverflow commented Jan 10, 2017

Oh, sorry. There isn't really a legitimate use of this mechanism in images. For some reason, developers are not interested in fixing this issue.

The only real solution is to proxy all images as suggested in #202.

@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Jan 10, 2017

Member

For some reason developers are not interested in fixing this issue.

Do you have links to the relevant tickets in the bug trackers of browsers?

Member

Changaco commented Jan 10, 2017

For some reason developers are not interested in fixing this issue.

Do you have links to the relevant tickets in the bug trackers of browsers?

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Jan 10, 2017

Member

Do you have links to the relevant tickets in the bug trackers of browsers?

https://bugs.chromium.org/p/chromium/issues/detail?id=21628

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

I will look into this. There is a discussion concerning a CSP implementation here: https://www.w3.org/2011/webappsec/track/issues/68

Member

EdOverflow commented Jan 10, 2017

Do you have links to the relevant tickets in the bug trackers of browsers?

https://bugs.chromium.org/p/chromium/issues/detail?id=21628

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

I will look into this. There is a discussion concerning a CSP implementation here: https://www.w3.org/2011/webappsec/track/issues/68

@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Jan 10, 2017

Member

Looks like it's not considered in scope for CSP (quote from your link: "it doesn't belong in CSP"), and since there is no spec saying that it shouldn't be allowed the behavior of browsers hasn't been changed.

Member

Changaco commented Jan 10, 2017

Looks like it's not considered in scope for CSP (quote from your link: "it doesn't belong in CSP"), and since there is no spec saying that it shouldn't be allowed the behavior of browsers hasn't been changed.

@EdOverflow

This comment has been minimized.

Show comment
Hide comment
@EdOverflow

EdOverflow Jan 10, 2017

Member

Yep, I am with you on that. :)

Member

EdOverflow commented Jan 10, 2017

Yep, I am with you on that. :)

@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Jan 16, 2017

Member

The new SaferHtmlRenderer that I've contributed to Misaka has built-in support for URL rewriting.

Member

Changaco commented Jan 16, 2017

The new SaferHtmlRenderer that I've contributed to Misaka has built-in support for URL rewriting.

@Changaco

This comment has been minimized.

Show comment
Hide comment
Member

Changaco commented Jan 24, 2017

Relevant article: GitHub’s post-CSP journey.

@Changaco

This comment has been minimized.

Show comment
Hide comment
Member

Changaco commented Jan 31, 2017

@Changaco

This comment has been minimized.

Show comment
Hide comment
@Changaco

Changaco Mar 27, 2018

Member

Cloudflare workers seem like the best way to fix this. It would cost $5 per month.

Member

Changaco commented Mar 27, 2018

Cloudflare workers seem like the best way to fix this. It would cost $5 per month.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment