Paid Advertising
web application security lab
« Ha.ckers.org Breaches Browser Security - Says McAfee
Recursive Request DoS »

Overwriting Attributes

There’s an interesting thread on sla.ckers about how Firefox overwrites attributes. The short of it is if you have attribute=”false” followed by attribute=”true” the second attribute overwrites the first. This is definitely not the first time I’ve come across this, and if you think about it, it makes sense - one of them has to win, so it’s a tossup as to which one should. So for the most part I totally ignored that phenomena, chalking it up to potentially problematic, but difficult or impossible to exploit in any useful way. However, that was until this thread.

One thing that MySpace does, for instance, is add the attribute allowScriptAccess=”never” to any object tags, neutering their effectiveness in an attack. However, if you immediately follow it up with your own attribute allowScriptAccess=”always” it will override MySpace’s security settings (I don’t know if there is a working exploit out there for this - it’s just an example as far as I know). However, now it’s clear that there could be situations where there are other attributes that users are allowed to write into, that in all other ways prevent XSS, but allow you to change the functionality of the tag you are within. Clever attack!

This entry was posted on Thursday, August 30th, 2007 at 9:23 am and is filed under XSS, Webappsec. You can leave a response as well.

5 Responses to “Overwriting Attributes”

  1. Jim Says:
    August 30th, 2007 at 4:05 pm

    I wonder if you can use this to overwrite a cookies HTMLOnly settings …. hmmmmmmmmm

  2. digi7al64 Says:
    August 30th, 2007 at 6:22 pm

    http://www.criticalsecurity.net/index.php?s=&showtopic=25137&view=findpost&p=160282 explains it a lot better. In relation to which attribute is uses it depends on the circumstances surrounding the code that proceeds it. Whats more is that this technique is older then id. As for working on myspace when i was mucking around with them a while back i tried all this with no luck.

  3. Ronald Says:
    August 31st, 2007 at 2:52 am

    But if you already can modify the DOM you could access the flash object, which works in all browsers.

  4. Awesome AnDrEw Says:
    September 3rd, 2007 at 5:37 pm

    Like digi7al64 I too had attempted to use this to exploit MySpace with a simple combination of a Flash object and some simple code I was hoping would be executed a few months ago when they introduced the “allowScriptAccess” attribute.

  5. matt Says:
    September 4th, 2007 at 1:08 pm

    I had success with this on another page:

Leave a Reply Or Discuss On the Forums