W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2010

[whatwg] element "img" with HTTP POST method

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 9 Dec 2010 19:15:45 -0800
Message-ID: <AANLkTikBZSyfyNq=YAR2AzeYbXz=_ZmQX3qc99kz2YMq@mail.gmail.com>
>>> On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <phil127 at gmail.com> wrote:
>>>> There are quite a number of older web forums that sanitize their HTML using black lists and would not strip new attributes like "post-data". For malicious users, it would be very easy to include e.g. <img src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some spam URL)"> in their signature and have users doing involuntary posts by simply viewing a thread.
>>>
>>> Indeed. ?You shouldn't be able to trigger POSTs from involuntary
>>> actions. ?They should always require some sort of user input, because
>>> there is simply *far* too much naive code out there that is vulnerable
>>> to CSRF.
>>
>> Unfortunately, the attacker can already trigger POSTs with involuntary
>> actions. ?That code is already vulnerable attack, sadly.
>
> Via scripting, yes, which is usually stripped out by sanitizers (or
> just plain doesn't work, like javascript urls in images). ?I don't
> believe there are any declarative ways to trigger involuntary POSTs,
> are there?

The attacker can always make a giant invisible button that covers the
whole page that submits a form.  Web sites can generate POST requests
without user intervention.  Anyone who's using POST as a security
feature as far bigger troubles than this attribute.

Adam
Received on Thursday, 9 December 2010 19:15:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:02 UTC