Re: [webauthn] Code Injection vulnerability from client side (#1965) from BagelTap via GitHub on 2023-09-23 (public-webauthn@w3.org from September 2023)

From: BagelTap via GitHub <sysbot+gh@w3.org>
Date: Sat, 23 Sep 2023 11:28:24 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1732287740-1695468502-sysbot+gh@w3.org>

Kudos, I've thought of a similar attack vector last month. The only difference is that the web application is vulnerable to XSS which an attacker can craft a malicious payload that calls navigator.credentials.get and send the response back to attacker server. My case scenario is that there is no malware on the victim's machine.

My mitigation is therefore tie the webauthn challenge to a browser cookie (protected with HttpOnly).

Here is the flow
![image](https://github.com/w3c/webauthn/assets/47883976/3d4e611b-5bc5-42ec-b7cc-4ef633b09f2c)


-- 
GitHub Notification of comment by bowtiejicode
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1965#issuecomment-1732287740 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 23 September 2023 11:28:26 UTC