- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Tue, 6 Mar 2007 06:12:58 -0800 (PST)
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, Jesse Ruderman <jruderman@gmail.com>, public-wsc-wg@w3.org, "Mike Beltzner <beltzner" <beltzner@mozilla.com>
Hi Mez, Would have added these to the wiki myself, but the page appears immutable, at least to my account. :( An invisible password area attack can be used to trick users into submitting their stored passwords for a site when executing a cross-site-scripting attack. A password input is added to the page but some css manipulation (for instance, there are other methods for hiding an element) is used to obscure it from the user. Since the browser can't tell that this represents an attack scenario, the stored password is supplied without the user knowing that any secrets have been divulged. Once this occurs, any number of cross-site scripting attacks can be launched with significantly reduced risk of detection. A negative positioned window attack is like a larger-than-visible attack. Like most of the entries in this list, it subverts the usual browser chrome indicators by obscuring them, with the intent to synthesize new ones within the content area. If I can move my browser 100 pixels off the top of the screen, I can create my own false menus and toolbars, as well as my own misleading chrome indicators about URL and SSL status, strictly within the content area. It is basically a picture in picture attack which takes an extra step to make the inner picture seem authoritative. Cheers, Johnathan ----- "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: > Thanks. > > What is "invisible password area" as an attack testcase? > > What does "negative positioned window" do? If it puts the window off > the display area entirely, how is that an attack? > > Mez > > Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) > Lotus/WPLC Security Strategy and Patent Innovation Architect > > > public-wsc-wg-request@w3.org wrote on 03/06/2007 01:28:41 AM: > > > > > ACTION-107 > > > > In order to evaluate various browsers, a library of spoofing > > testcases has been assembled. New browser technologies can use these > > testcases to determine if they're susceptible to spoofing. I'm > > looking mostly at Tyler and Stuart here, since I'm not the right one > > to create/link to the various testcases. Here's the location on the > > wiki: > > > > http://www.w3.org/2006/WSC/wiki/NoteTestCases > > > > cc: Jesse Ruderman, Daniel Veditz, as they're long-time spoofing > > testcase generators for Mozilla and might be able to help here. > > > > This closes ACTION-107. > > > > cheers, > > mike > > -- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Tuesday, 6 March 2007 14:06:38 UTC