Geek Answers Handbook

AJAX cross-domain requests are not blocked: is this a security vulnerability?

I spent the last 3 days learning how to query a cross domain using XMLHttpRequest. The best alternative is really with JSONP, which I already use.

But I still have a question that I cannot find the answer anywhere. I read hundreds of posts (including SO) and no one has a good response (with a good link). Hope someone here can help.

It is said that I read on many websites that, for security reasons, I cannot make an Ajax request from example.com to yyy.com and get the data I need. This is very clear, and I have no doubt about it. BUT the problem is that when I run the code below in my local host (my domain is "localhost" and I should not be able to request any data from another domain).

xhReq = new XMLHttpRequest(); xhReq.open("GET","http://domain.com.br?parameter",true); xhReq.send(null);

When I check the Firebug Net tab, I understand that the request was not blocked! This was clearly requested. I could not believe it. So I created a file in domain.com.br/log.php, where I could register any request that fell into my domain. Surprisingly, all the requests that I ran localhost hit my .com.br domain. When I tried to get the answer, I really couldn't get it due to the same origin policy of my Chrome browser and FIrebug. But I was very surprised that the request really hit the web server, despite the fact that I could not manipulate the responses.

More surprisingly, if domain.com.br/log.php generates a huge number of responses with 1 MB, my firebug showed me that the browser downloads ALL 1 MB from the web server, and at the end it shows the message “Access denied”, as expected. Therefore, why download the entire file if the same origin policy prohibits reading this data.

Finally, I am surprised that all the websites and specifications that I read very CLEAR say that the request is blocked using Ajax when the target domain does not match the source domain. But it’s clear that with my experiment, requests are completed, despite the fact that I can’t access the response data.

What upsets me is that it can open a BIG security hole in which every day, using a website with thousands of views, everyone can run this 3-line code and trigger a HUGE Ddos attack on an unfriendly website, just forcing users request a page on another website at short intervals, since the browser will not block the request.

I tested this script in IE 7, 8, and 9, as well as the latest versions of Chrome and Firefox, and everything is the same: the request is executed and the browser downloads the entire response without making it available for SOP.

I hope someone can explain to me why the specifications are so wrong in this or that I get it wrong!

+7
javascript ajax cross-domain
source share
2 answers

The request can be executed, and the server can generate a response, regardless of CORS. However, the answer may be hidden. balpha recently wrote about this on his blog :

Note that the same origin policy does not necessarily prevent the request as such - it simply prevents the response from being accessed. An malicious site can, for example, simply redirect the browser or submit a form or include an image or iframe - in all cases, a request is made to your site; the evil site simply does not see the answer.

To some extent, the browser must make a request to the server to see if it contains the server header "Access-Control-Allow-Origin". Remember that CORS is fully implemented by the browser. Someone might just write a console application to make a request to your server, so you should not rely on CORS to make sure that requests come only from your own site.

+5
source share

You can achieve the same effect (for example, the dos attack you said) with a simple image file, this does not have to be XHR. Link the image file from another website, put millions on your page, show it to your users and the boom.

0
source share

More articles:


All Articles