W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 7 Dec 2009 11:36:33 +0000
Message-ID: <252dd75b0912070336q413c1717p4298c02b336817c9@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: sird@rckc.at, Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-web-security@w3.org
2009/12/7 Maciej Stachowiak <mjs@apple.com>

> I see. So the premise is that if you can inject attributes onto an input
> element (but not inject arbitrary content) and presumably can't inject
> attributes into certain other elements which have auto-firing event handlers
> (like <body> or <img>), then you now have a drive-by XSS exploit using
> autofocus where previously some user interaction would have been required.
> But how about this:
>
> <input style=position:fixed;left:0px;top:0px;width:100%;height:100%
> onmouseover=alert(1)>
>
> Same conditions, essentially the same effect. Thus, I don't think autofocus
> meaningfully increases attack surface.
>

Well it enables attack where previously not possible, for example consider a
web site that filters user input to remove <>():& etc. we can still auto
execute javascript by supplying a vector such as:-

"autofocus/onfocus="location=name"x="

Another point is a onmouseover needs to have the user's focus whereas the
vector I mentioned can be used within a hidden iframe and enables automation
of attack rather than requiring a user to focus on each injection.
Received on Monday, 7 December 2009 11:37:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT