MegaCorp’s leak-prevention department is worried, though, that this access In order to ensure that employees can continue to navigate such links asĮxpected, MegaCorp chooses to allow private network requests: HTTP/1.1 200 OKĪccess-Control-Allow-Private-Network: true How considerate!Ĭlicking links from will trigger a CORS-preflight request, as it is a request from a publicĪddress to a private address: OPTIONS /short-links-are-short-after-shortening HTTP/1.1 Hosted at a public address in order to ensure that employees can workĮven when they’re not at the office. Its employees often email such links to each other. runs an internal link shortening service at and This will cause the preflight to fail, and the actual GET will never be issued. If it does understand OPTIONS, it can neglect to include an Access-Control-Allow-Private-Network header in its This will cause the preflight to fail, and the actual GET will never If it doesn’t understand OPTIONS at all, it can return a 50X error. The router will receive this OPTIONS request, and has a number of possible HTTP/1.1Īccess-Control-Request-Private-Network: true Since csrf.attack resolved to a public address, the request will trigger a CORS-preflight request: OPTIONS /set_dns?. Multicast DNS, and the user agent will note it as private. Router.local will be resolved to the router’s address via the magic of
Generate a CORS-preflight request, which the router ignores. Greatly mitigates the scope of the vulnerability, as malicious requests will Public internet, and didn’t take any special effort to enable them. Happily, MegaCorp Inc’s routers don’t have any interest in requests from the Their DNS settings to be altered by navigating to and passing in various GET MegaCorp Inc’s routers have a fairly serious CSRF vulnerability which allows Or worse, this is becoming a common deployment mechanism for all manner ofĪpplications, and often assumes protections that simply don’t exist (see and for recent examples).
#MALWAREBYTES 3.1.2 KEY GENERATOR SOFTWARE#
Software running a web interface on a user’s loopback address. No preflight is triggered, and theĪttacker doesn’t actually care about reading the response, as the request Note that status quoĬORS protections don’t protect against the kinds of attacks discussed hereĪs they rely only on CORS-safelisted methods and CORS-safelisted request-headers. For example, we wish to mitigate attacks on: The overarching goal is to prevent the user agent from inadvertantly enablingĪttacks on devices running on a user’s local intranet, or services running on Require internal devices to explicitly opt-in to requests from the public Here, we propose a mitigation against these kinds of attacks that would Number of malicious behaviors, including attacks on users' routers like thoseĭocumented in (and, more recenly, and ). Internet can make requests to internal devices and servers, which enable a Much progress at segregating the one from the other. "public" internet addresses for over a decade, user agents haven’t made 2.4 The treat-as-public-address Content Security Policy DirectiveĪlthough has specified a distinction between "private" and.
0 kommentar(er)
