W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Ian Hickson <ian@hixie.ch>
Date: Sun, 6 Dec 2009 09:21:42 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Cc: Maciej Stachowiak <mjs@apple.com>, sird@rckc.at, public-web-security@w3.org
Message-ID: <Pine.LNX.4.62.0912060909130.5629@hixie.dreamhostps.com>
On Sat, 5 Dec 2009, Adam Barth wrote:
>
> I think you're missing the main attack that sird's worried about:
> 
> Assumptions:
> 
> 1) The attacker can injection content into the target web site, but
> cannot injection script.

If you grant the assumption that the page has a faulty filter, IMHO it 
becomes easy to have all kinds of vulnerabilities. That filters should 
make sure the user can't insert arbitrary CSS is not new. Selectors and 
expressions get more and more expressive with each year, but they pale in 
comparison to the kind of deep analysis you can do to a page using XSLT 
and XPath, for example. This is why filters should always whitelist only 
features they consider safe.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 09:22:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT