I heard about a vulnerability in Chrome and Safari that allows attacks to bypass anti-cross-site scripting filters that is easily exploitable. How can I protect my users and system until patches are released?
Researcher Ioseba Palop from Eleven Paths found a bug in the cross-site scripting filter in Chrome and Safari that enables an attacker to bypass it in certain scenarios and compromise visitors to a vulnerable site. The problem lies in how the new HTML5 "srcdoc" attribute of the iFrame tag is handled by the filter. The iFrame tag is supported in all major browsers and is used to embed another document within the current HTML document. It is marked up as follows:
The srcdoc attribute of the IFRAME tag is new in HTML5 and is currently only supported in Firefox, Chrome and Safari. The srcdoc attribute specifies the HTML content of the page to show in the inline frame. An example would be:
<iframe srcdoc="<p>Welcome to TechTarget!</p>" src="https://www.techtarget.com"></iframe>
(If the src attribute and the srcdoc attribute are specified together, the srcdoc attribute takes priority. This allows a fallback URL for browsers that do not support the srcdoc attribute.)
Security teams should make sure their Web development teams are aware of the issue, as there are some important takeaways. Web developers looking to use new HTML attributes introduced in HTML5 should read the relevant documentation to ensure that they are implementing them correctly and securely. For example, the srcdoc attribute is expected to be used together with the sandbox and seamless attributes. The sandbox attribute enables a set of extra restrictions on any content hosted by the iframe. It is also important to use a separate domain for the contents of an iframe so if the attacker convinces the user to visit that page directly, the page doesn't run in the context of the site's origin. Most websites have numerous injection points, such as search fields, comment forms and cookies, so developers should sanitize any user input before it is processed and redisplayed, particularly if it is to appear within an iframe.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.