Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent 401 phishing attacks #504

Closed
EdOverflow opened this issue Jan 10, 2017 · 17 comments
Closed

Prevent 401 phishing attacks #504

EdOverflow opened this issue Jan 10, 2017 · 17 comments
Labels

Comments

@EdOverflow
Copy link
Member

@EdOverflow EdOverflow commented Jan 10, 2017

The following markdown image should prompt you with an authentication dialog:

![](https://httpbin.org/basic-auth/user/passwd)

This can be used for 401 phishing attacks, where the credentials are sent to an attackers' server.

@EdOverflow
Copy link
Member Author

@EdOverflow EdOverflow commented Jan 10, 2017

Maybe we should also prevent use of SVG images.

![](http://brutelogic.com.br/poc.svg) <-- Open this image in a new tab.
@Changaco
Copy link
Member

@Changaco Changaco commented Jan 10, 2017

Nice find. :-) What solution would you recommend? The only effective one I can think of is to proxy all images. That's pretty much #202.

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 10, 2017

Note that Firefox does show a warning:

https://httpbin.org is requesting your username and password. WARNING: Your password will not be sent to the website you are currently visiting!

Screenshot:

spectacle h13774

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 10, 2017

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

@EdOverflow
Copy link
Member Author

@EdOverflow EdOverflow commented Jan 10, 2017

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

This is the authentication mechanism for the HTTP Basic Authentication Protocol: http://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 10, 2017

I know what it is, but I see no reason to allow it for images. ;-)

@Changaco Changaco added the Defense label Jan 10, 2017
@EdOverflow
Copy link
Member Author

@EdOverflow EdOverflow commented Jan 10, 2017

Oh, sorry. There isn't really a legitimate use of this mechanism in images. For some reason, developers are not interested in fixing this issue.

The only real solution is to proxy all images as suggested in #202.

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 10, 2017

For some reason developers are not interested in fixing this issue.

Do you have links to the relevant tickets in the bug trackers of browsers?

@EdOverflow
Copy link
Member Author

@EdOverflow EdOverflow commented Jan 10, 2017

Do you have links to the relevant tickets in the bug trackers of browsers?

https://bugs.chromium.org/p/chromium/issues/detail?id=21628

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

I will look into this. There is a discussion concerning a CSP implementation here: https://www.w3.org/2011/webappsec/track/issues/68

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 10, 2017

Looks like it's not considered in scope for CSP (quote from your link: "it doesn't belong in CSP"), and since there is no spec saying that it shouldn't be allowed the behavior of browsers hasn't been changed.

@EdOverflow
Copy link
Member Author

@EdOverflow EdOverflow commented Jan 10, 2017

Yep, I am with you on that. :)

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 16, 2017

The new SaferHtmlRenderer that I've contributed to Misaka has built-in support for URL rewriting.

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 24, 2017

Relevant article: GitHub’s post-CSP journey.

@Changaco
Copy link
Member

@Changaco Changaco commented Jan 31, 2017

@Changaco
Copy link
Member

@Changaco Changaco commented Mar 27, 2018

Cloudflare workers seem like the best way to fix this. It would cost $5 per month.

@Changaco
Copy link
Member

@Changaco Changaco commented Jun 13, 2020

It looks like this issue has been fixed in browsers, I can't reproduce it anymore in Firefox (76.0.1) and Chromium (83.0.4103.61).

@Changaco Changaco closed this Jun 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.