Paid Advertising
web application security lab

Overwriting Attributes

There’s an interesting thread on sla.ckers about how Firefox overwrites attributes. The short of it is if you have attribute=”false” followed by attribute=”true” the second attribute overwrites the first. This is definitely not the first time I’ve come across this, and if you think about it, it makes sense - one of them has to win, so it’s a tossup as to which one should. So for the most part I totally ignored that phenomena, chalking it up to potentially problematic, but difficult or impossible to exploit in any useful way. However, that was until this thread.

One thing that MySpace does, for instance, is add the attribute allowScriptAccess=”never” to any object tags, neutering their effectiveness in an attack. However, if you immediately follow it up with your own attribute allowScriptAccess=”always” it will override MySpace’s security settings (I don’t know if there is a working exploit out there for this - it’s just an example as far as I know). However, now it’s clear that there could be situations where there are other attributes that users are allowed to write into, that in all other ways prevent XSS, but allow you to change the functionality of the tag you are within. Clever attack!

5 Responses to “Overwriting Attributes”

  1. Jim Says:

    I wonder if you can use this to overwrite a cookies HTMLOnly settings …. hmmmmmmmmm

  2. digi7al64 Says: explains it a lot better. In relation to which attribute is uses it depends on the circumstances surrounding the code that proceeds it. Whats more is that this technique is older then id. As for working on myspace when i was mucking around with them a while back i tried all this with no luck.

  3. Ronald Says:

    But if you already can modify the DOM you could access the flash object, which works in all browsers.

  4. Awesome AnDrEw Says:

    Like digi7al64 I too had attempted to use this to exploit MySpace with a simple combination of a Flash object and some simple code I was hoping would be executed a few months ago when they introduced the “allowScriptAccess” attribute.

  5. matt Says:

    I had success with this on another page: