W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 5 Dec 2009 10:17:35 -0800
Message-ID: <7789133a0912051017k778346a2wf8b849bc2e069870@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Collin Jackson <w3c@collinjackson.com>, public-web-security@w3.org
I think Collin's point about the CSRF tokens is that they tend to be
on every page anyway.

Adam


On Sat, Dec 5, 2009 at 10:16 AM, sird@rckc.at <sird@rckc.at> wrote:
> collin. this attack allows you to steal nonces, making csrf protections less
> efficient. seamless iframes make this work on ALL the domain/origin..
>
> greetings.
>
> On Dec 6, 2009 2:05 AM, "Collin Jackson" <w3c@collinjackson.com> wrote:
>
> A few thoughts:
>
> * The password stealing attack can already be accomplished using the
> iframe to create a login page and prompting the user to type their
> password. It's not necessary to use CSS3 or seamless.
> * If the password manager is used, CSS3 + seamless lets you steal the
> password without user interaction.
> * However, if you can inject arbitrary CSS3 and a seamless iframe into
> a page, there's a good chance you can inject a password field, so this
> password manager attack doesn't require seamless, just CSS3.
> * Many webapps include a CSRF token in every page as a hidden form
> field. If the page that allows CSS3 injection includes such a token,
> you don't need seamless iframes to steal the token.
>
> It seems like CSS3 is adding a lot of attack surface, sites may need
> to block arbitrary CSS3 injection regardless of seamless. That is
> unfortunate since browser vendors have been removing expression,
> -moz-binding, and other features that make CSS injection dangerous.
>
> On Sat, Dec 5, 2009 at 8:54 AM, Adam Barth <w3c@adambarth.com> wrote: > I
> see.  The issue is that t...
Received on Saturday, 5 December 2009 18:18:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT