- From: Eduardo Vela <sirdarckcat@gmail.com>
- Date: Mon, 7 Dec 2009 13:31:06 +0800
- To: public-web-security@w3.org
- Message-ID: <8ba534860912062131u70a05939g68490327c0c8db4e@mail.gmail.com>
Here:
http://dev.w3.org/html5/spec/Overview.html#origin
2 comments.
It says:
If a script is a javascript: URL in a style sheet
The owner is the URL of the style sheet.
That means javascript URIs will be allowed?
And.. are you aware that CSS doesn't hard-fail? (I mean.. it's not like JS
that will exit at the first syntax error).
something lilke:
http://www.google.com/search?for=something
<!doctype html5>
<html>
....
<a href="
http://www.example.com/}body{background-image:url(javascript:alert('who am
I?'))}">link</a>
can be interpreted as a stylesheet..
<link href="http://www.google.com/search?for=something">
and execute the CSS, and according to that spec.. with www.google.com as
it's origin.. that's super dangerous!
This is a PoC (without the actual unimplemented xss):
http://attacker.sirdarckcat.net/xss.php?html_xss=%3Cstyle%3E@import%20url%28%27http://victim.sirdarckcat.net/xss.php?html_xss=}%250D%250Abody{background-image:url%28http://t0.gstatic.com/images?q=tbn:cOeIS9pmn6i8YM:http://epicfail/%29}%250D%250Ax{%27%29;%3C/style%3E
Just change the http;// with javascript (for when this get's implemented)
and you've got a cool nice UXSS..
The second one:
If a script is a javascript: URL that was returned as the location of an
HTTP redirect (or equivalent in other protocols)
The owner is the URL that redirected to the javascript: URL.
This is NOT happening as of right now.. on any browser afaik. you can try!
http://tinyurl.com/jsredirect
And preview: http://preview.tinyurl.com/jsredirect
The only "redirect" that executes JS are Refresh (via headers or meta).. but
I wouldn't consider them an HTTP redirect.. per se..
I haven't reviewed the whole spec, but this stuff is disappointing..
Greetings!!
-- Eduardo
http://www.sirdarckcat.net/
Sent from Hangzhou, 33, China
Received on Monday, 7 December 2009 05:32:06 UTC