label clickjacking and javascriptless csrf
Another niche attack. I happened to notice the interesting behaviour of the <label> tag today while working on some web application development.
<label for="target">*STUFF*</label> |
The for-attribute triggers a click event on the targeted element by id. It can trigger the click events on a bunch of different input-tags whenever anything between it's start and end tags are clicked. This is an intended behaviour, but it can be abused for clickjacking.
Here is a way to abuse it for submitting csrf forms.
Of course, it's a bit redundant. The following snippet does the same thing without using the label tag at all.
I tested both of these in firefox with noscript and they pass.
But imagine a scenario where the HTML filtering is not quite as secure as it should be and the label-tag can be submitted. Then it could be abused to trigger clicks on the rendered site without the user's consent. Imagine a social media site with a "like"-functionality alá Facebook for example. Triggering a click on the like could make for some fun Samy-like worms.
Fortunately, most sites use whitelists for html user input these days.