- From: Mike Beltzner <beltzner@mozilla.com>
- Date: Tue Mar 06 13:18:10 2007
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: "Daniel Veditz" <dveditz@mozilla.com>, "Jesse Ruderman" <jruderman@gmail.com>, public-wsc-wg@w3.org
By using CSS to render a password area invisible, a site using cross-site scripting can potentially fool a browser into giving up a username and password (autofilling with password manager) without the user realizing that they're even submitting this information. Negative positioned windows can be arranged such that a new window opens overtop of the chrome of an existing window, making for a picture in picture spoof. Really, they were just two that I remembered off the top of my head and listed as examples. I think it's important to build up this testing library so that anyone can evaluate a design against a set of exploits and have a degree of confidence. It'll also be a library that we can use in our own user testing. Rachna might also have some good testcases from her research. cheers, mike -----Original Message----- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> Date: Tue, 6 Mar 2007 08:13:40 To:beltzner@mozilla.com Cc:Daniel Veditz <dveditz@mozilla.com>, Jesse Ruderman <jruderman@gmail.com>, public-wsc-wg@w3.org Subject: Re: ACTION-107 : Create a library of testcases / examples of attacks listed in section 8 Thanks. What is "invisible password area" as an attack testcase? What does "negative positioned window" do? If it puts the window off the display area entirely, how is that an attack? Mez Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) Lotus/WPLC Security Strategy and Patent Innovation Architect public-wsc-wg-request@w3.org wrote on 03/06/2007 01:28:41 AM: > > ACTION-107 > > In order to evaluate various browsers, a library of spoofing > testcases has been assembled. New browser technologies can use these > testcases to determine if they're susceptible to spoofing. I'm > looking mostly at Tyler and Stuart here, since I'm not the right one > to create/link to the various testcases. Here's the location on the > wiki: > > http://www.w3.org/2006/WSC/wiki/NoteTestCases > > cc: Jesse Ruderman, Daniel Veditz, as they're long-time spoofing > testcase generators for Mozilla and might be able to help here. > > This closes ACTION-107. > > cheers, > mike >
Received on Tuesday, 6 March 2007 13:18:10 UTC