- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 4 Aug 2011 16:18:29 +0000 (UTC)
- To: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- cc: public-html-comments@w3.org, Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
On Thu, 4 Aug 2011, Philippe De Ryck wrote: > > > > I always hesitate to minimise the risk in security risk assessments, > > but this does seem somewhat convoluted. Are you aware of any page that > > has such a form, accepts user input, and uses a blacklist rather than > > whitelist, and allows <button> or <input> to be inserted unescaped but > > not <script>? > > Your requirements for a successful attack are rather strict, since the > absence of a script injection attack does not seem necessary. A site > vulnerable to injection attacks can still be protected against XSS by > additional countermeasures (e.g. NoScript), yet remain vulnerable to > this issue NoScript is a client-side counter-measure used by a minority of users. If a site is relying on NoScript to not be vulnerable, then that site has lost already. Thus I do not think that the described conditions are unduly strict. > If you leave these requirements out, you only need a page with a form > and displayed user content, which is vulnerable to an HTML/script > injection attack. Concrete example sites are any site with > user-generated content (blogs, newspapers with comments, wiki's) and a > login form (which is often autocompleted by the browser). Tempting the > user to click an injected button with "Some really tempting name or > image" should be fairly easy. Once you have a page where this is possible, sure. I'm just not convinced that there are pages that allow form controls but aren't already vulnerable to some other equal or worse problem. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 4 August 2011 16:19:00 UTC