W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Sun, 6 Dec 2009 14:28:42 +0800
Message-ID: <8ba534860912052228g50649e11j21f8a52ac46826da@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: sird@rckc.at, public-web-security@w3.org
xss without css..

i dont know if some one else discovered this type of attacks before us on
bluehat last year.. but it doesnt matter.

its amazing that if it was known for so long untill now people are
considering the security ramirications of those new toys.

anyway.. i dont want to rant about this..

greetz

On Dec 6, 2009 2:17 PM, "Ian Hickson" <ian@hixie.ch> wrote:

On Fri, 4 Dec 2009, Eduardo Vela wrote: > > I sincerely understand why
people want seamless iframes ...

> What I see with those awesome CSS3 selectors such as: > >
input[type=password][value^=a]{backgrou...
How is the attacker inserting CSS into the page, in this scenario?

I agree that if an attacker can insert CSS into a victim page, that
numerous information retrieval attacks are possible (though not currently
a password attack, as Maciej mentioned). However, this has long been
known, it doesn't seem to be a new problem.

--
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 06:29:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT