W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 07 Dec 2009 03:00:54 -0800
Cc: sird@rckc.at, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
Message-id: <C162011A-623B-49D4-AFEA-37EE65685BF4@apple.com>
To: gaz Heyes <gazheyes@gmail.com>

On Dec 6, 2009, at 3:28 AM, gaz Heyes wrote:

> 2009/12/6 Maciej Stachowiak <mjs@apple.com>
>
> On Dec 6, 2009, at 1:22 AM, sird@rckc.at wrote:
>
> hi!
>
> I understood only members/invited.experts had a real vote in it..  
> anyway
>
> wrt autofocus it enables xss vectors without user interaction (Mario  
> Heiderich/Gareth Heyes).
>
>
> Cn you give me an explanation of the exploit or a link to an  
> explanation? I'm not familiar with the issue you are referring to.
>
> Regards,
> Maciej
>
> If an injection occurs within a <input type="text" INJECTION_HERE  
> and the <> chars are filtered. HTML5 allows us to auto execute  
> vectors by supplying autofocus. Normally a user would have to be  
> tricked into clicking the element without CSS expression/moz-binding/ 
> behaviour vectors but HTML5 add new XSS vectors. The injection would  
> work like this:-
>
> "AUTOFOCUS onfocus=alert(1) x="
>
> Many form based elements support this auto executing method:-
> <input autofocus onfocus=alert(1)>
> <textarea autofocus onfocus=alert(1)>
> <keygen autofocus onfocus=alert(1)>
> <select autofocus onfocus=alert(1)>
>
> Works on Chrome+Safari+Opera 10

I see. So the premise is that if you can inject attributes onto an  
input element (but not inject arbitrary content) and presumably can't  
inject attributes into certain other elements which have auto-firing  
event handlers (like <body> or <img>), then you now have a drive-by  
XSS exploit using autofocus where previously some user interaction  
would have been required. But how about this:

<input style=position:fixed;left:0px;top:0px;width:100%;height:100%  
onmouseover=alert(1)>

Same conditions, essentially the same effect. Thus, I don't think  
autofocus meaningfully increases attack surface.

Regards,
Maciej
Received on Monday, 7 December 2009 11:01:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT