Control HTML without javascript

This is something I have known about for a long time. It is advanced and can mostly be used for Cross Site Request Forgeries (CSRF). Not that I condone these, but the best way to defend yourself against hackers is by knowing as much as they do.

In some cases users turn javascript off in their browsers (I do) for security reasons. HTML has just about no scripting capabilities if you discard the FOR attribute on the LABEL tag. It is possible to trick a user into submitting a form by them simply highlighting text on a page. The FOR attribute binds a label to another element, which is some sort of scripting, I guess.

Well, by simply wrapping the BODY of a page in a LABEL tag, which contains text and HTML, the LABEL and its contents become a button through binding of the FOR. This all happens behind the scenes. This means that whenever you select text or click on the body of the page, the binding becomes active, and it is possible to submit a form without any scripting at all!

Example:

<label for="action">
<body>
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor
incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud
exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore
eu fugiat nulla pariatur.
</body>
</label>

<form action="http://twitter.com/logout" method="get">
 <input type="submit" id="action" style="display:none;">
</form>

On my example I show a POC on how you could automatically log someone out of twitter by them simply clicking on a page. Twitter has fixed this CSRF by simply checking the referrer on the browser: If it doesn’t match twitter.com, it sends you to another logout page for you to confirm your action.

This is good knowledge. Use it to protect yourself and not to harm others.

I use a plugin for FireFox called NoScript. This plugin will block all scripts on a per-domain basis. If you trust the domain, then you can enable those scripts. This is extremely helpful because I visit many hacked packages on a weekly basis and I do not want my computer to get a virus. This plugin will protect you from at least 70% of web attacks. I highly encourage you to use it.

STAY UP TO DATE

Sign up today to stay informed with industry news & trends