0

Consider the following website. Page A (https://example.com/login) contains a login form and its password field has the attributes name and id set to "password". Page B (https://example.com/vuln) has a XSS vulnerability that allows an attacker to inject JavaScript code. One opens page A in a browser tab and enters a password, but does not submit it. Then, one opens another tab and visits page B there.

Since the pages have the same web origin, the Same-Origin Policy does not restrict access between them and, from the browser's view, the attacker's code is loaded from the origin https://example.com. But the pages' DOMs are not connected by any path that allows to access each other.

Can the attacker's injected JavaScript code access the password field and the password entered into it, or change the form's action attribute? If so, could someone provide a small example?

EDIT: The following statements cause my confusion.

One document can read and modify (i.e., control completely) another document if the two documents were retrieved from the same origin.[1]

I guess that this is referred to documents under the same window object (e.g., between a top frame and a sub frame/iframe) and not between same-origin pages visited in two different browser tabs. Is this correct?

[...] most browsers only store the origin of a password and not the complete URL of the form it was initially stored from. Thus, placing a form on an arbitrary page with the same origin as the login form is sufficient to extract credentials from the victim.[2]

Makes sense at first because the browser will not fill the password into https://example.com/vuln if it has been saved for https://example.com/login. An attacker can only steal the password by finding a vulnerability on https://example.com/login. However, this is contrary to the following statement:

The security argument accompanying origin-based matching is that path-based matching does not add any additional security benefits against same-origin attackers, since same-origin attackers already have full JavaScript execution capabilities.[3]

Based to this, I assume that an attacker can abuse https://example.com/vuln to access https://example.com/login, for example, reading the password field or changing the action attribute to attacker.com. But I do not understand how this is possible if none of the tabs has been opened by the other and therefore their DOMs are not connected through any reference.

References:

[1] Beware of Finer-Grained Origins

[2] Protecting Users Against XSS-based Password Manager Abuse

[3] Automated Password Extraction Attack on Modern Password Managers

Ronquam
  • 1
  • 1
  • I don't believe so. (unless Page B opens Page A in a tab...) If, however, page B is in an iframe inside page A, you could use parent. to get at the same-origin content there. – pcalkins Feb 07 '20 at 22:35
  • @tim Partly, but there's still a gap in knowledge. I added statements from academic literature that are contradictory and explain my problem of understanding in more detail. – Ronquam Feb 08 '20 at 10:57
  • Those statements are not contradictory, as far as I can see. – Rory Alsop Feb 08 '20 at 11:54
  • @RoryAlsop [2] recommends path-based matching and [3] recommends origin-based matching and states that additionally considering the path has no advantage. – Ronquam Feb 08 '20 at 12:10
  • They both say path based matching has no real advantage – Rory Alsop Feb 08 '20 at 13:17
  • I think part of what they are concerned about here are passwords saved in the browser. If an attacker has the ability to create a page from the same domain, the victims browser could auto-fill those fields. Access to the WindowProxy may also be possible even if the tab/window is not launched via javascript. ( I don't really know for sure... but it sounds like access to the WindowProxy is allowed for same origin requests. There are pieces of the Window and Location object that are available across tabs/windows/frames...) – pcalkins Feb 08 '20 at 18:08
  • They seem to keep complicating this in the W3C spec... they have an algorithm here: https://html.spec.whatwg.org/multipage/browsers.html#security-nav – pcalkins Feb 08 '20 at 18:27

0 Answers0