2009/12/7 Maciej Stachowiak <mjs@apple.com> > I see. So the premise is that if you can inject attributes onto an input > element (but not inject arbitrary content) and presumably can't inject > attributes into certain other elements which have auto-firing event handlers > (like <body> or <img>), then you now have a drive-by XSS exploit using > autofocus where previously some user interaction would have been required. > But how about this: > > <input style=position:fixed;left:0px;top:0px;width:100%;height:100% > onmouseover=alert(1)> > > Same conditions, essentially the same effect. Thus, I don't think autofocus > meaningfully increases attack surface. > Well it enables attack where previously not possible, for example consider a web site that filters user input to remove <>():& etc. we can still auto execute javascript by supplying a vector such as:- "autofocus/onfocus="location=name"x=" Another point is a onmouseover needs to have the user's focus whereas the vector I mentioned can be used within a hidden iframe and enables automation of attack rather than requiring a user to focus on each injection.
Received on Monday, 7 December 2009 11:37:06 UTC