On 07/11/2013 02:41 PM, Yoav Nir wrote: > > * GET /maingage.html?button=shutdown caused the firewall to power-off. > * GET /mainpage.html?button=unload caused the firewall to unload > policy, so that it didn't enforce policy or do IPsec or anything a router > wouldn't do. > > So I tried opening another browser tab, and loading an HTML document that > said <img src="https://myfw/mainpage.html?button=shutdown"> > > Yes, the firewall powered down, and if I had used "unload" instead of > "shutdown" that would be the end of enforcing a security policy. > > Now, granted, this is epic levels of cluelessness.
these are indeed epic levels of cluelessness. at the very least the authors of such an appliance need to learn the distinction between POST and GET, which would prevent your "attack". If the authors aren't capable of making this distinction (which has been around for nearly 20 years), and they don't use widely-known measures for CSRF protection (itself coming up on 10 years old, i think) when they have users who enable javascript, i strongly doubt they'll deploy any sort of fancy session continuation even if we specify it perfectly. I'm not sure this sort of example is a reasonable argument for developing any new standard technical measures, since by definition the culprits here are not making use of standard technical measures. Regards, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec