I heard about a vulnerability in Chrome and Safari that allows attacks to bypass anti-cross-site scripting filters...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
that is easily exploitable. How can I protect my users and system until patches are released?
Researcher Ioseba Palop from Eleven Paths found a bug in the cross-site scripting filter in Chrome and Safari that enables an attacker to bypass it in certain scenarios and compromise visitors to a vulnerable site. The problem lies in how the new HTML5 "srcdoc" attribute of the iFrame tag is handled by the filter. The iFrame tag is supported in all major browsers and is used to embed another document within the current HTML document. It is marked up as follows:
The srcdoc attribute of the IFRAME tag is new in HTML5 and is currently only supported in Firefox, Chrome and Safari. The srcdoc attribute specifies the HTML content of the page to show in the inline frame. An example would be:
<iframe srcdoc="<p>Welcome to TechTarget!</p>" src="http://www.techtarget.com"></iframe>
(If the src attribute and the srcdoc attribute are specified together, the srcdoc attribute takes priority. This allows a fallback URL for browsers that do not support the srcdoc attribute.)
Security teams should make sure their Web development teams are aware of the issue, as there are some important takeaways. Web developers looking to use new HTML attributes introduced in HTML5 should read the relevant documentation to ensure that they are implementing them correctly and securely. For example, the srcdoc attribute is expected to be used together with the sandbox and seamless attributes. The sandbox attribute enables a set of extra restrictions on any content hosted by the iframe. It is also important to use a separate domain for the contents of an iframe so if the attacker convinces the user to visit that page directly, the page doesn't run in the context of the site's origin. Most websites have numerous injection points, such as search fields, comment forms and cookies, so developers should sanitize any user input before it is processed and redisplayed, particularly if it is to appear within an iframe.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)
Related Q&A from Michael Cobb
Expert Michael Cobb explains the differences between symmetric and asymmetric encryption algorithms, common uses and examples of both encryption ...continue reading
Google has added Linux kernel memory protection and other security measures to the Android OS. Expert Michael Cobb explains how these features work ...continue reading
The HummingBad malware has infected 10 million mobile devices worldwide. Expert Michael Cobb explains how this exploit enables click fraud and other ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.