I heard about a vulnerability in Chrome and Safari that allows attacks to bypass anti-cross-site scripting filters that is easily exploitable. How can I protect my users and system until patches are released?
Researcher Ioseba Palop from Eleven Paths found a bug in the cross-site scripting filter in Chrome and Safari that enables an attacker to bypass it in certain scenarios and compromise visitors to a vulnerable site. The problem lies in how the new HTML5 "srcdoc" attribute of the iFrame tag is handled by the filter. The iFrame tag is supported in all major browsers and is used to embed another document within the current HTML document. It is marked up as follows:
The srcdoc attribute of the IFRAME tag is new in HTML5 and is currently only supported in Firefox, Chrome and Safari. The srcdoc attribute specifies the HTML content of the page to show in the inline frame. An example would be:
<iframe srcdoc="<p>Welcome to TechTarget!</p>" src="https://www.techtarget.com"></iframe>
(If the src attribute and the srcdoc attribute are specified together, the srcdoc attribute takes priority. This allows a fallback URL for browsers that do not support the srcdoc attribute.)
Security teams should make sure their Web development teams are aware of the issue, as there are some important takeaways. Web developers looking to use new HTML attributes introduced in HTML5 should read the relevant documentation to ensure that they are implementing them correctly and securely. For example, the srcdoc attribute is expected to be used together with the sandbox and seamless attributes. The sandbox attribute enables a set of extra restrictions on any content hosted by the iframe. It is also important to use a separate domain for the contents of an iframe so if the attacker convinces the user to visit that page directly, the page doesn't run in the context of the site's origin. Most websites have numerous injection points, such as search fields, comment forms and cookies, so developers should sanitize any user input before it is processed and redisplayed, particularly if it is to appear within an iframe.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.