Consider the following website. Page A (https://example.com/login) contains a login form and its password field has the attributes name
and id
set to "password"
. Page B (https://example.com/vuln) has a XSS vulnerability that allows an attacker to inject JavaScript code. One opens page A in a browser tab and enters a password, but does not submit it. Then, one opens another tab and visits page B there.
Since the pages have the same web origin, the Same-Origin Policy does not restrict access between them and, from the browser's view, the attacker's code is loaded from the origin https://example.com. But the pages' DOMs are not connected by any path that allows to access each other.
Can the attacker's injected JavaScript code access the password field and the password entered into it, or change the form's action attribute? If so, could someone provide a small example?
EDIT: The following statements cause my confusion.
One document can read and modify (i.e., control completely) another document if the two documents were retrieved from the same origin.[1]
I guess that this is referred to documents under the same window object (e.g., between a top frame and a sub frame/iframe) and not between same-origin pages visited in two different browser tabs. Is this correct?
[...] most browsers only store the origin of a password and not the complete URL of the form it was initially stored from. Thus, placing a form on an arbitrary page with the same origin as the login form is sufficient to extract credentials from the victim.[2]
Makes sense at first because the browser will not fill the password into https://example.com/vuln if it has been saved for https://example.com/login. An attacker can only steal the password by finding a vulnerability on https://example.com/login. However, this is contrary to the following statement:
The security argument accompanying origin-based matching is that path-based matching does not add any additional security benefits against same-origin attackers, since same-origin attackers already have full JavaScript execution capabilities.[3]
Based to this, I assume that an attacker can abuse https://example.com/vuln to access https://example.com/login, for example, reading the password field or changing the action attribute to attacker.com
. But I do not understand how this is possible if none of the tabs has been opened by the other and therefore their DOMs are not connected through any reference.
References:
[1] Beware of Finer-Grained Origins
[2] Protecting Users Against XSS-based Password Manager Abuse
[3] Automated Password Extraction Attack on Modern Password Managers