W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: Mario Heiderich <mario.heiderich@googlemail.com>
Date: Thu, 9 Jun 2011 19:51:57 +0200
Message-ID: <BANLkTikb3GiBLobhAPcEdD0L9zCBdGZ3=w@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: public-web-security@w3.org
The trick is rather common among pentesters - but I am not sure about any
public documentation. It works particularly well too if a website for
instance allows user generated HTML containing class attributes - and one of
the injected classes is being used for special purposes by the attacked
website's client side business logic. I've seen this work in many real life
web apps.

Cheers,
..mario

On Thu, Jun 9, 2011 at 7:07 PM, Bil Corry <bil@corry.biz> wrote:

> gaz Heyes wrote on 6/8/2011 12:53 PM:
>
>> On 8 June 2011 20:38, John Wilander <john.wilander@owasp.org
>> <mailto:john.wilander@owasp.org>> wrote:
>>
>> I actually started thinking about whitelisted script element ids to
>> augment CSP statements and allow for e.g. inline analytics blocks.
>> But then I ran into what we'd like to call "DOM Identity Theft" since
>> browsers are specified to return the /first/ element with the given
>> id when getElementById() is called. Is the technique already known?
>> Under a different name?.
>>
>>
>> Glad to see you're on the same page ;) Yeah there is another name,
>> DOM Clobbering, I'd don't mind what name is given as long as it isn't
>> plastered all over the media. As you can imagine it gets quite fun
>> with analytics + clobbering
>>
>
> Do you have a link to a resource describing "DOM Clobbering"?  Google only
> found a single mention, your quote above:
>
>        http://www.google.com/search?q=%22dom+clobbering%22
>
> Maybe John should write up his "DOM Identity Theft".
>
>
> - Bil
>
>


-- 
_____________________________
www.phpids.org | @0x6D6172696F
[[,_]=!''+'',[,,,$,,,]=!_+''+{}][$++_+]+_
Received on Tuesday, 14 June 2011 06:29:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC