As the browser manufacturers add new features they can sometimes overlook the security implications which can often seem minor. I’ve found two such features which I think could cause problems.
CSS overlays
Iframes can be manipulated to show only a small area of the screen, even worse you can actually overlay any other item over the top of it. Using nested iframes you can position them in such a way that it would be impossible for a normal user to know which site they are interacting with.
Submit buttons
Form submit buttons can be made interactive and totally invisible, they can also look like a normal HTML link. This is bad because even with javascript disabled it is possible to fool a user to submitting an external form on any web site.
Update….
I’ve added a CSS scripting demo which shows CSS is going beyond just presentation.
The following demos were tested on Firefox:-
Comments 1
Loved the submit button thingy
Simple, yet sexy.
Co-incidentally, a friend of mine posted a small post on CSS3.0 today. I couldn’t help thinking about Jeremiah and RSnake’s Intranet Hacking Talk (take 2) at BH-US… and combining it all together for some nefarious things surfacing in future.
Posted 24 Aug 2007 at 6:32 am ¶Phew! I guess I’m a true Piscean.
Post a Comment