4

I am not very good at putting on my "black hat" and figuring out what a nefarious user might be able to do with a certain type of open door. I'm working on an app that is planned to have such a door and would like some help figuring out how to protect it.

Imagine a site that is a distant cousin to WordPress. It is a content creation and hosting site for specific vertical markets with features to make it more appealing to those markets (compared to the many existing more general alternatives).

On such a site you want to enable the users to cook up their own look and feel for their content. I'm planning a sort of 3 tiered approach to that. 1) provide some selectable "templates" to choose between, 2) provide specific points of additional adjustability (vis. select background color, font-family, etc.) and 3) as a backup for the truly format obsessed customers, the ability to supply a CSS file for use on their pages.

It is about the security hole(s) that might be created by this last item that I wish some help. First and foremost, what sorts of nefarious things can a black hat accomplish from unfettered access to such a door? Is there anything they could do there that would adversely affect any pages that don't specifically include that CSS? Is there anything they could do through malicious CSS to gain some sort of system access? Is there any standard way of filtering user-supplied CSS to prevent (most of) these exploits?

thanks much!

user3314178
  • 51
  • 4
  • `background: url('http://nastydisgustingporn.com/goatse.jpg');`? if you give users even partial control of a page's style, they can conceivably make that page look (mostly) like anything they want, including OTHER sites. – Marc B May 06 '14 at 18:35
  • possible duplicate of [Is there a security threat if I enable a user to add CSS?](http://stackoverflow.com/questions/5836898/is-there-a-security-threat-if-i-enable-a-user-to-add-css) – Cisum Inas May 06 '14 at 18:38

2 Answers2

1

Unless you're doing some sort of preprocessing (LESS, SASS, etc), there should be no risk to your server. The risk is that your users could modify the page in ways you weren't expecting.

Will your site contain any content that users aren't allowed to modify? Maybe a unified toolbar at the top where any user can sign in to their dashboard? A user could modify the CSS on their page to create a phishing attack for other users of the system.

Are you going to put ads on the page? A user could modify the CSS to direct any ad clicks to their own destination.

If any of the content on the page is outside of your users' control, you probably shouldn't let them upload custom css.

If the entire page can be controlled by the user (like in a custom site hosting environment), then custom css should be fine.

James Mason
  • 4,246
  • 1
  • 21
  • 26
  • 1
    Even worse, they could [embed scripts in the CSS](http://stackoverflow.com/a/3613162/413180). – SilverlightFox May 07 '14 at 10:17
  • I'm not sure that meaningfully increases the risk, but yeah. Definitely don't do it unless you're intending to give the user full control over their site. – James Mason May 07 '14 at 19:27
  • Well cookies could be sent without interaction to the attacker. – SilverlightFox May 07 '14 at 19:41
  • HTTP auth, too. That could potentially lead to data leakage for any API endpoints that aren't properly secured (not sure if the data could be sent to a third party or not). That kind of attack should be guarded against anyway, though. – James Mason May 07 '14 at 19:46
0

Do not allow them to upload anything of the sort, give them a user interface to modify their look and feel. This way you are limiting the damage they can do.

Cisum Inas
  • 11,552
  • 11
  • 40
  • 55