CSS attacks!
Friday, 24 August 2007
As the browser manufacturers add new features they can sometimes overlook the security implications which can often seem minor. I’ve found two such features which I think could cause problems.
CSS overlays
Iframes can be manipulated to show only a small area of the screen, even worse you can actually overlay any other item over the top of it. Using nested iframes you can position them in such a way that it would be impossible for a normal user to know which site they are interacting with.
Submit buttons
Form submit buttons can be made interactive and totally invisible, they can also look like a normal HTML link. This is bad because even with javascript disabled it is possible to fool a user to submitting an external form on any web site.
Update….
I’ve added a CSS scripting demo which shows CSS is going beyond just presentation.
The following demos were tested on Firefox:-
No. 1 — August 24th, 2007 at 6:32 am
Loved the submit button thingy 🙂
Simple, yet sexy.
Co-incidentally, a friend of mine posted a small post on CSS3.0 today. I couldn’t help thinking about Jeremiah and RSnake’s Intranet Hacking Talk (take 2) at BH-US… and combining it all together for some nefarious things surfacing in future.
Phew! I guess I’m a true Piscean. 😉