For a little background on cross site requests Wikipedia has some good info. Our friend Alex Russell of the Dojo Toolkit posted a note on the topic. Joe Walker has also posted a couple entries on the topic. Each of which cover ways to prevent this sort of attack and why their particular frameworks aren’t vulnerable. Bob takes a slightly more aggressive stance calling the Fortify paper FUD.
Bottom line Zimbra is not vulnerable to the attacks mentioned in the paper. Specifically we use POST for all of our data communication from our AJAX client to our server. In the POST request we include a Zimbra created auth token that is in both the cookie and the POST body (as part of the SOAP header). The server verifies that both are included and the same to ensure that the sender of the request is the actual user’s browser. Secondly the responses from our server are JSON data objects. Using JSON objects rather than arrays prevents the type of attack mentioned in the paper. Bob’s post goes into the details of why and includes an example to prove it. We are glad people are noticing and paying attention to security topics as new webapps take further advantage of the browser. To further discuss this topic please visit the Zimbra Forums.