<html><body bgcolor="#FFFFFF"><div>This is a very good idea. Eric, are you interested in lending support?<br><br></div><div>CSRF is tough to deal with in clustered environments, SSO and other special use cases. There is a lot for us as OWASP to expand upon beyond "use tokens".</div><div><br></div><div>Aloha,</div><div>&nbsp;<br>-Jim Manico<div><a href="http://manico.net">http://manico.net</a></div></div><div><br>On Mar 25, 2011, at 1:44 PM, "Paulo Coimbra" &lt;<a href="mailto:paulo.coimbra@owasp.org">paulo.coimbra@owasp.org</a>&gt; wrote:<br><br></div><div></div><blockquote type="cite"><div><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">All,<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Please keep me in the loop. I propose we put this new field of research also under the umbrella project generically called Cross-Site Request Forgery Project.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><div><p class="MsoNormal"><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Thanks,<o:p></o:p></span></p><p class="MsoNormal"><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">- Paulo<o:p></o:p></span></p><p class="MsoNormal"><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p class="MsoNormal"><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><p class="MsoNormal"><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Paulo Coimbra,<o:p></o:p></span></p><p class="MsoNormal"><span lang="PT" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><a href="http://www.owasp.org/index.php/User:Paulo_Coimbra"><span style="color:blue">OWASP Project Manager</span></a><o:p></o:p></span></p></div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt"><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> Jim Manico [mailto:jim.manico@owasp.org] <br><b>Sent:</b> sexta-feira, 25 de Março de 2011 20:26<br><b>To:</b> Chris Schmidt<br><b>Cc:</b> Frederick Donovan; &lt;<a href="mailto:owasp-leaders@owasp.org">owasp-leaders@owasp.org</a>&gt;<br><b>Subject:</b> Re: Wait, what?<o:p></o:p></span></p></div></div><p class="MsoNormal"><o:p>&nbsp;</o:p></p><div><p class="MsoNormal">Chris,<o:p></o:p></p></div><div><p class="MsoNormal"><o:p>&nbsp;</o:p></p></div><div><p class="MsoNormal">This is interesting stuff. If you don't mind, drop the contents of this email into an OWASP Wiki page and I'll clean it up.<o:p></o:p></p></div><div><p class="MsoNormal"><br>-Jim Manico<o:p></o:p></p><div><p class="MsoNormal"><a href="http://manico.net"><a href="http://manico.net">http://manico.net</a></a><o:p></o:p></p></div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>On Mar 25, 2011, at 11:11 AM, "Chris Schmidt" &lt;<a href="mailto:chris.schmidt@owasp.org"><a href="mailto:chris.schmidt@owasp.org">chris.schmidt@owasp.org</a></a>&gt; wrote:<o:p></o:p></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">I’m going to disagree on this point. The term JSONP is JSON with Padding (or JSON Preprended). So basically what you get is</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&lt;script src=<a href="http://site.com/do_something_cool?callback=parseResponse"><a href="http://site.com/do_something_cool?callback=parseResponse">http://site.com/do_something_cool?callback=parseResponse</a></a>&gt;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Now, that call can (and often does) do something then returns a response in JSON format, that is it *<b>prepends</b>* the json response (although, wraps is probably a better description) in a function call that the client specifies In the callback parameter. As you know – just including JSON data between script tags *<b>may</b>* compile and run – but does nobody any good without understanding the context of how it is being used, and that context has no business being mixed in with the data. So your response data may be:</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:36.0pt"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">[ { name: ‘joe’, acct_number: ‘12345’ } ] </span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">But what actually comes back is:</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:36.0pt"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">parseResponse([{name:’joe’,acct_number:’12345’}]);</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:36.0pt"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">When the script is loaded into the javascript runtime, it will call the function you pass in with the data that is the response payload. Just like a standard Ajax callback, only cross-domain!</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Now put this into the context of CSRF. Site A (<a href="http://a.com"><a href="http://a.com">a.com</a></a>) uses JSONP to perform some ajaxian stuff due to SOP policy issues. They have something that looks like this</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&lt;script type=”text/javascript”&gt;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; function parseResponse(data) {</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; document.getElementById(‘name_div’).innerHTML = data[0].name;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; XHRFactory.dispatchRequest( acctController, { ‘acct’: data[0].acct_number }, displayAcctDetails );</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&lt;/script&gt;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&lt;script type=”text/javascript” src=<a href="http://b.com/service/GetUserDetails.jsonp"><a href="http://b.com/service/GetUserDetails.jsonp">http://b.com/service/GetUserDetails.jsonp</a></a>?callback=parseResponse&gt;&lt;/script&gt;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Site b (<a href="http://b.com"><a href="http://b.com">b.com</a></a>) is controlled by the same people who control Site A – so authentication is shared, and the site is trusted. </span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Attacker brings up a page and through some recon and enumeration, discovers that several other services exist on <a href="http://b.com"><a href="http://b.com">b.com</a></a>. So he builds a page:</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&lt;script type=”text/javascript”&gt;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Function getAccountData(data) {</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; buildNewScriptElement(‘<a href="http://b.com/service/TransferFunds.jsonp?callback=wasSuccess&amp;fromAcct=’"><a href="http://b.com/service/TransferFunds.jsonp?callback=wasSuccess&amp;fromAcct=’">http://b.com/service/TransferFunds.jsonp?callback=wasSuccess&amp;fromAcct=’</a></a> + data[0].acct_number + ‘&amp;toAcct=’ + my_swiss_acct &nbsp;+ ‘amt=1000’ );</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Function wasSuccess(data) {</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; If ( data[0].success )</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; logDeposit(data[0].depositAmount );</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&lt;/script&gt;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&lt;script type=”text/javascript” src=<a href="http://b.com/service/GetUserDetails.jsonp?callback=getAccountData"><a href="http://b.com/service/GetUserDetails.jsonp?callback=getAccountData">http://b.com/service/GetUserDetails.jsonp?callback=getAccountData</a></a>&gt;&lt;/script&gt;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Attacker then entices users of Site A to check out his page – anticipating that most of them will have an authenticated session on Site A. </span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">This is tremendously more powerful than a traditional CSRF attack as it allows an attacker to craft complex multi-stage attacks that can be completely transparent to the authenticated user. This is also a great deal more than *<b>just</b>* a script include from a remote site, it is code that is the result of an operation – whether that be a lookup (query) or action (update) or delete operation is not important when defining the risk. </span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">So, as you can see – I am not claiming that JSONP itself is the problem – however, due to the nature of what you can do with JSONP, if controls are not in place (CSRF, Whitelist validation of callback methods, etc) you can have a very powerful attack surface.</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">For the record – I would love to be proven wrong on this, so feel free to debate!</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">As I said, I am writing up a blog post on this in all of my spare time (har har har) which I optimistically claimed could be out last night, but more accurately will likely be a this weekend release. There are other risks here (notice the additional controls) that also are not new, and have been covered before. But really this is something that is only going to get more popular with Mash ups and as more sensitive data and operations exist in that space (you know, that online banking widget you put on your iGoogle page) this will become a greater and greater risk. This risk is at the point where Cross site scripting once was. A few people *<b>really</b>* get the problem and understand the risk, but it is not being shared and touted and taught and screamed from the rooftops. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> Frederick Donovan [mailto:fred.donovan@owasp.org] <br><b>Sent:</b> Friday, March 25, 2011 11:32 AM<br><b>To:</b> Chris Schmidt<br><b>Cc:</b> Jim Manico; <a href="mailto:owasp-leaders@owasp.org"><a href="mailto:owasp-leaders@owasp.org">owasp-leaders@owasp.org</a></a><br><b>Subject:</b> Re: Wait, what?</span><o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">JSONP <u>itself</u> does nothing malicious or pose a "security flaw" as the blogger mentioned in 2005. It's just a mechanism of sharing data across sites. He's misusing the term and it's really about developers putting script tags on a page that link to other sites.<br>For example, if i were to embed a Google map on my page (for office locations or whatever)&nbsp; I could use an iframe or perhaps set it up to require a script tag on that page that loads everything it needs to.&nbsp; So the concern in this scenario is putting a script tag on a page that links to google maps - if a hacker can pwn the Google maps page they can replace the script with something malicious, so that everyone who visits the page is pwned in some way. It's XSS, but only if the other site (Google Maps) is pwned.<br><br>The author falsely states that it is a browser flaw. Script tags are not a browser flaw. It's the responsibility of the person developing the page to make sure they are linking to a trusted javascript file. The term "JSONP" should not even be used at all. It's just happens to be a technique of how javascript is used, which is irrelevant to the main issue.<br><br>Leo and I addressed this at OWASP Summit 08. I thought we had addressed it on the OWASP site already (but apparently not, Chris). <br><br>-Fred<o:p></o:p></p><div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Thu, Mar 24, 2011 at 8:16 PM, Chris Schmidt &lt;<a href="mailto:chris.schmidt@owasp.org"><a href="mailto:chris.schmidt@owasp.org">chris.schmidt@owasp.org</a></a>&gt; wrote:<o:p></o:p></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">My hope is that someone with a bit more time can take this on :)<br><br>Sent from my iPwn<o:p></o:p></p><div><div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>On Mar 24, 2011, at 6:13 PM, Jim Manico &lt;<a href="mailto:jim.manico@owasp.org"><a href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>&gt; wrote:<br><br>&gt; Dude: Go to the wiki, make a new page, hit edit and start writing about it! :)<br>&gt;<br>&gt; - Jim<br>&gt;<br>&gt;&gt; That's kind of my point - this isn't exactly *new*, yet OWASP has nothing<br>&gt;&gt; about the attack, how to solve, or the impacts of the attack<br>&gt;&gt;<br>&gt;&gt; -----Original Message-----<br>&gt;&gt; From: Jim Manico [mailto:<a href="mailto:jim.manico@owasp.org"><a href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>]<br>&gt;&gt; Sent: Thursday, March 24, 2011 6:00 PM<br>&gt;&gt; To: Chris Schmidt<br>&gt;&gt; Cc: <a href="mailto:owasp-leaders@owasp.org"><a href="mailto:owasp-leaders@owasp.org">owasp-leaders@owasp.org</a></a><br>&gt;&gt; Subject: Re: Wait, what?<br>&gt;&gt;<br>&gt;&gt; Folks have been talking about this since 2005.<br>&gt;&gt;<br>&gt;&gt; <a href="http://blog.unclehulka.com/2005/12/12/jsonpyoure-joking-right/"><a href="http://blog.unclehulka.com/2005/12/12/jsonpyoure-joking-right/">http://blog.unclehulka.com/2005/12/12/jsonpyoure-joking-right/</a></a><br>&gt;&gt;<br>&gt;&gt; <a href="http://www.google.com/search?q=JSONP"><a href="http://www.google.com/search?q=JSONP">http://www.google.com/search?q=JSONP</a></a><br>&gt;&gt;<br>&gt;&gt; - Jim<br>&gt;&gt;<br>&gt;&gt;<br>&gt;&gt;&gt; Looking for references for a vulnerability in an application using<br>&gt;&gt;&gt; JSONP without any CSRF Protection, I naturally came to the <a href="http://owasp.org"><a href="http://owasp.org">owasp.org</a></a><br>&gt;&gt;&gt; site first - would you believe there is absolutely *nothing* on the<br>&gt;&gt;&gt; OWASP site about this???<br>&gt;&gt;&gt;<br>&gt;&gt;&gt;<br>&gt;&gt;&gt;<br>&gt;&gt;&gt; I couldn't believe it, this is a very impactful classification of<br>&gt;&gt;&gt; attack that makes CSRF 10x more dangerous than it would normally be. I<br>&gt;&gt;&gt; plan on blogging about the dangers of this scenario and will shoot out<br>&gt;&gt;&gt; a link as soon as it is up (tonite more than likely) - but I really<br>&gt;&gt;&gt; think that if anyone else out there has some time and bandwidth to<br>&gt;&gt;&gt; write up some <a href="http://owasp.org"><a href="http://owasp.org">owasp.org</a></a> material on the subject, it would be a great<br>&gt;&gt;&gt; addition to the site and something that could use some attention.<br>&gt;&gt;&gt;<br>&gt;&gt;&gt;<br>&gt;&gt;&gt;<br>&gt;&gt;&gt; If you have no clue what I am talking about, or generally think I am<br>&gt;&gt;&gt; full of crap about the seriousness of the attack - I recommend you<br>&gt;&gt;&gt; watch for my link.<br>&gt;&gt;&gt;<br>&gt;&gt;&gt;<br>&gt;&gt;&gt;<br>&gt;&gt;&gt; Thanks J<br>&gt;&gt;&gt;<br>&gt;&gt;&gt;<br>&gt;&gt;<br>&gt;&gt;<br>&gt;<o:p></o:p></p></div></div></div><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">&nbsp;<o:p></o:p></p></div></div></blockquote></div></div></div></blockquote></body></html>