CSS attacks!

As the browser manufacturers add new features they can sometimes overlook the security implications which can often seem minor. I’ve found two such features which I think could cause problems.

CSS overlays

Iframes can be manipulated to show only a small area of the screen, even worse you can actually overlay any other item over the top of it. Using nested iframes you can position them in such a way that it would be impossible for a normal user to know which site they are interacting with.

Submit buttons

Form submit buttons can be made interactive and totally invisible, they can also look like a normal HTML link. This is bad because even with javascript disabled it is possible to fool a user to submitting an external form on any web site.

Update….

I’ve added a CSS scripting demo which shows CSS is going beyond just presentation.

The following demos were tested on Firefox:-

CSS attack demos

One Response to “CSS attacks!”

  1. Bipin 3~ Upadhyay writes:

    Loved the submit button thingy 🙂
    Simple, yet sexy.

    Co-incidentally, a friend of mine posted a small post on CSS3.0 today. I couldn’t help thinking about Jeremiah and RSnake’s Intranet Hacking Talk (take 2) at BH-US… and combining it all together for some nefarious things surfacing in future.
    Phew! I guess I’m a true Piscean. 😉