Do browsers allows pages loaded on one tab to access/intercept/inject data in other tabs?

MrBrian · Dec 12, 2014

From http://security.stackexchange.com/q...one-tab-to-access-intercept-inject-data-in-ot:

I was surprised to hear from this Reuters video that it was possible for a page loaded on one tab to access and/or inject data onto another page loaded on a different tab.

TL;DW (too lazy; didn't watch) The interviewee in the video suggests that when doing online banking, the user exit his browser (thus closing all windows) and start a new browser session with just your banking page/tab open. Allegedly, malicious sites can check if you have your banking site open and inject commands onto those sites.

Can someone confirm and/or deny this claim? Is it only possible even if there is not parent/child relationship between windows/tabs?
Click to expand...

MrBrian · Dec 12, 2014

"Yes, you can have fun with [web browser] downloads" revisited two years later

MrBrian · Dec 12, 2014

From Scriptless Attacks – Stealing the Pie Without Touching the Sill (2012 paper):

[Abstract]

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the causes and effects of XSS vulnerabilities. NoScript, and disabling scripting code in non-browser applications such as e-mail clients or instant messengers.

As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios.

In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive information from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrary data displayed on a given website.

We conclude this paper with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
Click to expand...

Download: hxxp://hgi.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf .

MrBrian · Dec 12, 2014

Closing a tab isn't necessarily sufficient though. Sometimes logging out isn't sufficient either. Do we need to logout of webapps?

Log in or Sign up

Do browsers allows pages loaded on one tab to access/intercept/inject data in other tabs?

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

Log in or Sign up

Do browsers allows pages loaded on one tab to access/intercept/inject data in other tabs?

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

MrBrian Registered Member

Useful Searches