Re: Seamless iframes + CSS3 selectors = bad idea from Mary Ellen Zurko on 2009-12-09 (public-web-security@w3.org from December 2009)

From: Mary Ellen Zurko <mzurko@us.ibm.com>
Date: Wed, 9 Dec 2009 17:44:06 -0500
To: "Adam Barth <w3c" <w3c@adambarth.com>
Cc: public-web-security@w3.org
Message-ID: <OF2D31AB68.83BA39B0-ON85257687.007C8AFB-85257687.007CC611@LocalDomain>

In theory I've got no problem with that. In practice, I'm darned if I can 
figure out how to ensure that a gazillion web app developers "only" 
develop using features that are "adequately safe". And I can't tell in 
this discussion how I'll do that. But I realize that's a tangent. Just 
throwing it out in case there's an easy answer that someone will toss me, 
and I will catch in my mouth, and trot off happily with...

          Mez

From:
Adam Barth <w3c@adambarth.com>
To:
Ian Hickson <ian@hixie.ch>
Cc:
Maciej Stachowiak <mjs@apple.com>, sird@rckc.at, 
public-web-security@w3.org
Date:
12/06/2009 11:24 AM
Subject:
Re: Seamless iframes + CSS3 selectors = bad idea
Sent by:
public-web-security-request@w3.org

On Sun, Dec 6, 2009 at 1:21 AM, Ian Hickson <ian@hixie.ch> wrote:
> On Sat, 5 Dec 2009, Adam Barth wrote:
>> I think you're missing the main attack that sird's worried about:
>>
>> Assumptions:
>>
>> 1) The attacker can injection content into the target web site, but
>> cannot injection script.
>
> If you grant the assumption that the page has a faulty filter, IMHO it
> becomes easy to have all kinds of vulnerabilities. That filters should
> make sure the user can't insert arbitrary CSS is not new. Selectors and
> expressions get more and more expressive with each year, but they pale 
in
> comparison to the kind of deep analysis you can do to a page using XSLT
> and XPath, for example. This is why filters should always whitelist only
> features they consider safe.

The issue is slightly more subtle than you describe.  Filters aren't
"faulty" or "safe," they just restrict what kinds of things the
attacker can inject.  The question is what bad things the attacker can
do with these injections.  sird's point is that allowing CSS is more
severe than it used to be (modulo expression() and -moz-binding, which
are generally considered poor features from a security point of view).

Imagine all the sites on the web as existing as regions on a map
colored by the severity of the bad things the attacker can do on those
sites, even restricted by their filters.  Some percent of the map has
unrestricted XSS and is bright red.  Some percent of the map is locked
down to allowing only the letter "a" and is bright green.  The point
is this feature turns some non-negligible percent of the map a
brighter shade of red.  That's something that we should know about and
balance against the added functionality of the attack surface.

Adam

Received on Wednesday, 9 December 2009 22:43:30 UTC