<iframe seamless="" style="width: 100%; height: 500px;" src="patients/john-smith/ccda/rendered?secret_token=123abc">
Vulnerability #1: Leaking Referer
headers This C-CDA includes a reference to an external image. The
rendered HTML view includes an img tag that will point to
an external host (https://hack.me). This can be dangerous
because browsers will include a "Referer" header on each image load
request, which includes the full URL of the current page. If there's
secret state embedded in the current page URL, hack.me
will learn it. In the example above, the external site learns the value
of secret_token each time an image loads.
Vulnerability #2: Cross-site
scripting This C-CDA includes malicious
style and
onmouseover attributes (in violation of the CDA
specification!) that lead to dangerous rendered HTML. The rendered HTML includes
a hidden full-screen table that will run arbitrary JavaScript code any time the mouse
moves over the document. Such code has access to all state assocaited with the page origin
used inside the
iframe. This includes:
- Page URL
- Cookies associated with the domain
-
localStorage data associated wtih the domain
- ... and if the
iframe shares its domain with the parent window, it has full access to all application state via window.parent
Source files on GitHub & smartplatforms.org