Wednesday, September 13, 2006

my Pizza got lost on an HTTP Redirect



Well, Imagine the following scenario:
You order a pizza with all the toppings you like.
Then you get invited to watch a game with your neighbours.

You leave a note on the door saying something like:
"Dear Pizza delivery guy,
We are at the neighbours one floor below - apt. 16, Thanks!"
and of you go to your neighbours to watch that game.

30 min. later more or less, there is a knock on the door,
hmm... I wander who could that be - Yep you guessed right,
Its the Pizza delivery guy!

However - That's wired - Where is the pizza? so naturally you ask him:
"hmm... - Where is my pizza ?"


The delivery guy explains that it is company policy that if there is a note on the door the delivery guy should go to where is indicated in the note but "the delivery guy MUST NOT automatically take the pizza with him unless it can be confirmed by the person who ordered the pizza, since this might change the conditions under which the pizza was ordered."

I don't know about you, but when I leave such a note on the door, I expect the pizza to be redirected with all the toppings.

It might sound wierd when talking about pizzas, IMHO it is not less wierd when talking about HTTP POST Requests that get a response from the 3xx family.

I realy see no security issue with redirecting the pizza, sorry - the post data, to any address the recieving server asked it to be redirected to. After all you have the data was available for that server and he could just take it an send it (back-end) to anywhere he likes. If I trust that site then by transitivity I trust any other site he trusts - not to mention the fact that more often then not it will be just another appartment in the same building, sorry again - another URL in the smae domain.

Now where is my pizza ?!

note: pizza company policy adopted more or less from http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3


one last note - I would agree that a request that was sent using HTTPS should not be allowed to be redirected to a non-HTTPS addres for safty reasons. This is just to make sure the pizza remains hot.

2 comments:

Fernando Felman said...

I think that the main difference is that redirecting your Pizza is "no biggie" in terms of risk, whereas post requests can contain sensitive data. If both original and redirected locations could agree to the redirection (maybe by using certificates), then the risk of redirecting post data would be lower.

Eyal Peleg said...

I disagree.
Loosing a Pizza is actual phisical damage (i.e. loss of pizza and related money).
as for the sensitive data - You already sent it to someone else he can do with it whatever he likes including sending it to anyone he sees fit.
As for having the original and redirected locations agree to the redirection, Well obviously they would - especially if its a scam and they are trying to rip you off your valuable data.
If anything at all they it might make sense to block all redirects regardless of the data they have and let the user approved them, this is becuase the USER is being send to another site not because his DATA is sent there.

 
Clicky Web Analytics