I heard about a vulnerability in Chrome and Safari that allows attacks to bypass anti-cross-site scripting filters...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
that is easily exploitable. How can I protect my users and system until patches are released?
Researcher Ioseba Palop from Eleven Paths found a bug in the cross-site scripting filter in Chrome and Safari that enables an attacker to bypass it in certain scenarios and compromise visitors to a vulnerable site. The problem lies in how the new HTML5 "srcdoc" attribute of the iFrame tag is handled by the filter. The iFrame tag is supported in all major browsers and is used to embed another document within the current HTML document. It is marked up as follows:
The srcdoc attribute of the IFRAME tag is new in HTML5 and is currently only supported in Firefox, Chrome and Safari. The srcdoc attribute specifies the HTML content of the page to show in the inline frame. An example would be:
<iframe srcdoc="<p>Welcome to TechTarget!</p>" src="http://www.techtarget.com"></iframe>
(If the src attribute and the srcdoc attribute are specified together, the srcdoc attribute takes priority. This allows a fallback URL for browsers that do not support the srcdoc attribute.)
Security teams should make sure their Web development teams are aware of the issue, as there are some important takeaways. Web developers looking to use new HTML attributes introduced in HTML5 should read the relevant documentation to ensure that they are implementing them correctly and securely. For example, the srcdoc attribute is expected to be used together with the sandbox and seamless attributes. The sandbox attribute enables a set of extra restrictions on any content hosted by the iframe. It is also important to use a separate domain for the contents of an iframe so if the attacker convinces the user to visit that page directly, the page doesn't run in the context of the site's origin. Most websites have numerous injection points, such as search fields, comment forms and cookies, so developers should sanitize any user input before it is processed and redisplayed, particularly if it is to appear within an iframe.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
Can two-factor authentication be applied to a mobile device that's used as a 2FA factor? Michael Cobb explores the different knowledge factors and ...continue reading
Running a private certificate authority can pose significant risks and challenges to meet baseline requirements. Michael Cobb explores what ...continue reading
A recently discovered Android app permissions flaw can expose users to attacks. Michael Cobb explains what the risks are and how Android O security ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.