Error in documentation

Discussions about the Application Boundaries Enforcer (ABE) module
RobertDrew
Junior Member
Posts: 32
Joined: Sun Jun 14, 2015 6:51 pm

Error in documentation

Post by RobertDrew »

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
Accept GET
Deny
The above rules do not do what the highlighted portion of the comments describe, due to the highlighted portion of the rules.

Here's a corrected version of the rules, so that they match the description in the comments. The change is highlighted ...
# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
Deny SUB
Accept GET
Deny
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Error in documentation

Post by Thrawn »

I think you're right. Thanks for pointing it out.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
fatboy
Senior Member
Posts: 82
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Error in documentation

Post by fatboy »

RobertDrew wrote: Deny SUB
Why not Deny POST SUB?

Accept POST SUB from SELF
Accept GET #but not POST SUB
Deny #including POST SUB

Incorrectly?
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Error in documentation

Post by barbaz »

fatboy wrote:Why not Deny POST SUB?
Because it's not needed, Deny POST is already covered by the Deny on the end.
*Always* check the changelogs BEFORE updating that important software!
-
fatboy
Senior Member
Posts: 82
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Error in documentation

Post by fatboy »

@barbaz
Deny SUB is not already covered by the Deny on the end?
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Error in documentation

Post by barbaz »

fatboy wrote:Deny SUB is not already covered by the Deny on the end?
Indeed not, because the "Accept GET" would had already let any GET requests to 'SUB's through.
*Always* check the changelogs BEFORE updating that important software!
-
fatboy
Senior Member
Posts: 82
Joined: Fri Jul 25, 2014 6:56 am
Contact:

Re: Error in documentation

Post by fatboy »

Thanks.
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Post Reply