- From: Eduardo Vela <sirdarckcat@gmail.com>
- Date: Sun, 6 Dec 2009 14:28:42 +0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: sird@rckc.at, public-web-security@w3.org
Received on Sunday, 6 December 2009 06:29:16 UTC
xss without css..
i dont know if some one else discovered this type of attacks before us on
bluehat last year.. but it doesnt matter.
its amazing that if it was known for so long untill now people are
considering the security ramirications of those new toys.
anyway.. i dont want to rant about this..
greetz
On Dec 6, 2009 2:17 PM, "Ian Hickson" <ian@hixie.ch> wrote:
On Fri, 4 Dec 2009, Eduardo Vela wrote: > > I sincerely understand why
people want seamless iframes ...
> What I see with those awesome CSS3 selectors such as: > >
input[type=password][value^=a]{backgrou...
How is the attacker inserting CSS into the page, in this scenario?
I agree that if an attacker can insert CSS into a victim page, that
numerous information retrieval attacks are possible (though not currently
a password attack, as Maciej mentioned). However, this has long been
known, it doesn't seem to be a new problem.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 6 December 2009 06:29:16 UTC