W3C home > Mailing lists > Public > public-html-comments@w3.org > August 2011

Re: [html5] Input attributes allow form tampering

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 2 Aug 2011 21:50:59 +0000 (UTC)
To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
cc: public-html-comments@w3.org
Message-ID: <Pine.LNX.4.64.1108022147010.18680@ps20323.dreamhostps.com>
On Tue, 2 Aug 2011, Philippe De Ryck wrote:
>
> The new form attributes, which can be used with submit buttons, can make 
> it difficult for a user to distinguish the form that is being submitted. 
> This can be used by an adversary to trick the user into submitting a 
> form, such as an autocompleted login form. Even though this attack was 
> already possible with JavaScript enabled, this new vector does not 
> depend on scripts. Additionally, it is possible that current content 
> validation filters do not yet prevent against button injection.

Surely this was already possible by just injecting </form><form action...> 
in the same place as the button would be inserted today?


> Alternatively, if changing the specification is not possible, developers 
> should be warned about this attack vector, so they can update their 
> content filters.

Filters must be written using whitelists. A filter written using a 
blacklist is essentially worthless. A whitelist filter would not be 
affected by this or many other additions to HTML.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 2 August 2011 21:51:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 August 2011 21:51:21 GMT