Prevent 401 phishing attacks #504

Open
EdOverflow opened this Issue Jan 10, 2017 · 15 comments

Projects

None yet

2 participants

@EdOverflow
Member

The following markdown image should prompt you with an authentication dialog:

![](https://httpbin.org/basic-auth/user/passwd)

This can be used for 401 phishing attacks, where the credentials are sent to an attackers' server.

@EdOverflow
Member

Maybe we should also prevent use of SVG images.

![](http://brutelogic.com.br/poc.svg) <-- Open this image in a new tab.
@Changaco
Member

Nice find. :-) What solution would you recommend? The only effective one I can think of is to proxy all images. That's pretty much #202.

@Changaco
Member

Note that Firefox does show a warning:

https://httpbin.org is requesting your username and password. WARNING: Your password will not be sent to the website you are currently visiting!

Screenshot:

spectacle h13774

@Changaco
Member

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

@EdOverflow
Member

Why do browsers even show a prompt in this case? What legitimate use-case is there for this?

This is the authentication mechanism for the HTTP Basic Authentication Protocol: http://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/

@Changaco
Member

I know what it is, but I see no reason to allow it for images. ;-)

@EdOverflow
Member
EdOverflow commented Jan 10, 2017 edited

Oh, sorry. There isn't really a legitimate use of this mechanism in images. For some reason, developers are not interested in fixing this issue.

The only real solution is to proxy all images as suggested in #202.

@Changaco
Member

For some reason developers are not interested in fixing this issue.

Do you have links to the relevant tickets in the bug trackers of browsers?

@EdOverflow
Member

Do you have links to the relevant tickets in the bug trackers of browsers?

https://bugs.chromium.org/p/chromium/issues/detail?id=21628

Can't we tell the browser not to show the prompt through CSP or a similar mechanism?

I will look into this. There is a discussion concerning a CSP implementation here: https://www.w3.org/2011/webappsec/track/issues/68

@Changaco
Member

Looks like it's not considered in scope for CSP (quote from your link: "it doesn't belong in CSP"), and since there is no spec saying that it shouldn't be allowed the behavior of browsers hasn't been changed.

@EdOverflow
Member

Yep, I am with you on that. :)

@Changaco
Member

The new SaferHtmlRenderer that I've contributed to Misaka has built-in support for URL rewriting.

@Changaco
Member

Relevant article: GitHub’s post-CSP journey.

@Changaco
Member
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment