Re: ACTION-107 : Create a library of testcases / examples of attacks listedin section 8 from Mike Beltzner on 2007-03-06 (public-wsc-wg@w3.org from March 2007)

From: Mike Beltzner <beltzner@mozilla.com>
Date: Tue Mar 06 13:18:10 2007
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: "Daniel Veditz" <dveditz@mozilla.com>, "Jesse Ruderman" <jruderman@gmail.com>, public-wsc-wg@w3.org
Message-ID: <1735902471-1173187073-cardhu_blackberry.rim.net-23080-@engine18-cell02>

By using CSS to render a password area invisible, a site using cross-site scripting can potentially fool a browser into giving up a username and password (autofilling with password manager) without the user realizing that they're even submitting this information. 

Negative positioned windows can be arranged such that a new window opens overtop of the chrome of an existing window, making for a picture in picture spoof. 

Really, they were just two that I remembered off the top of my head and listed as examples. I think it's important to build up this testing library so that anyone can evaluate a design against a set of exploits and have a degree of confidence. It'll also be a library that we can use in our own user testing. 

Rachna might also have some good testcases from her research. 

cheers,
mike
-----Original Message-----
From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Tue, 6 Mar 2007 08:13:40 
To:beltzner@mozilla.com
Cc:Daniel Veditz <dveditz@mozilla.com>, Jesse Ruderman <jruderman@gmail.com>,       public-wsc-wg@w3.org
Subject: Re: ACTION-107 : Create a library of testcases / examples of attacks listed
 in section 8

Thanks. 
 
What is "invisible password area" as an attack testcase? 
 
What does "negative positioned window" do? If it puts the window off the display area entirely, how is that an attack? 
 
          Mez
 
 Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
 Lotus/WPLC Security Strategy and Patent Innovation Architect
 
 
public-wsc-wg-request@w3.org wrote on 03/06/2007 01:28:41 AM:
 
 > 
 > ACTION-107
 > 
 > In order to evaluate various browsers, a library of spoofing  
 > testcases has been assembled. New browser technologies can use these  
 > testcases to determine if they're susceptible to spoofing. I'm  
 > looking mostly at Tyler and Stuart here, since I'm not the right one  
 > to create/link to the various testcases. Here's the location on the  
 > wiki:
 > 
 >      http://www.w3.org/2006/WSC/wiki/NoteTestCases
 > 
 > cc: Jesse Ruderman, Daniel Veditz, as they're long-time spoofing  
 > testcase generators for Mozilla and might be able to help here.
 > 
 > This closes ACTION-107.
 > 
 > cheers,
 > mike
 >

Received on Tuesday, 6 March 2007 13:18:10 UTC