5

Possible Duplicate:
Cross Site Scripting in CSS Stylesheets

I'm considering allowing users to create their own CSS through linked stylesheets (NOT embedded style tags). Can an XSS attack be performed from a stylesheet?

Thanks

Community
  • 1
  • 1
Tom
  • 1,055
  • 2
  • 14
  • 21

3 Answers3

3

In Internet Explorer, Firefox and other browsers you can embed JavaScript in CSS by specifying a javascript: URL in a url() CSS statement.

Even if you manage to filter these out, an attacker can still completely redesign the page (including all of its textual content) with advanced CSS. Therefore, it becomes extremely easy to trick users to execute stupid actions, which is what XSS is about. For example, you could make the Delete Account button fill the entire window and change its text to "Click here to win 1000$".

You can white-list a select few properties (text-*, font-*, color, background (only colors and gradients, no URLs or other fancy stuff)), but you'll have to reject anything that does not match these restrictions.

phihag
  • 278,196
  • 72
  • 453
  • 469
  • 1
    Possibly the worst IE ever did. – Amir Raminfar Jun 24 '11 at 19:32
  • 7
    @Amir Raminfar: I think it'd be a shorter list to list what IE did right. I'll start: Allows me to download a real browser. – Robert Jun 24 '11 at 19:35
  • Are there handful of CSS keywords I can blacklist to prevent execution and filling elements with new content? – Tom Jun 24 '11 at 19:35
  • @Tom No. What you *can* do is white-list a select few (color, background, text-decoration, font-* etc.), but you'd have to write your own bullet-proof validator for that. – phihag Jun 24 '11 at 19:37
  • 1
    @Robert, took me a while to get what you are saying but it reminds me of the pie chart on reddit where it was like 99% use ie to download other browsers. :) – Amir Raminfar Jun 24 '11 at 19:40
  • @Amir: Care to find the particular pie chart "on reddit" you're referring to? I imagine that reddit contains multiple pie charts about IE. – Eric Jun 24 '11 at 20:55
  • @Robert Enough with the IE hate, there is a direct equivalent in Firefox's `-moz-binding` and in probably all browsers with `javascript:` url()s. – phihag Jun 24 '11 at 20:59
  • 1
    I hate IE for many many more reasons than XSS injection through CSS... – Robert Jun 24 '11 at 21:03
0

Interesting question. I can imagine the style sheet having the ability to remove or hide elements which can be a security problem. You can also insert text after a certain element using :after and :before so you might want to be careful about that.

Alternately I think you should include their style sheet first so that they don't suddenly change all your fonts or something global.

Amir Raminfar
  • 33,777
  • 7
  • 93
  • 123
  • Including the style sheet first has no effect, you can simply define rules with higher precedence. – phihag Jun 24 '11 at 19:34
  • That's what I am saying is a good thing. If the other css is #foo div then its clear that they are targeting those divs. We use this approach so that our default css don't suddenly get changed. – Amir Raminfar Jun 24 '11 at 19:36
  • I meant: The **attacker** can define rules with higher precedence, by just sticking `!important` before every value. – phihag Jun 24 '11 at 19:39
  • Yep, I am aware of that. And I totally agree with you. I wasn't saying this is to make it secure. I was just saying so the old style doesn't totally get jacked up. – Amir Raminfar Jun 24 '11 at 19:57
0

those are old hacks but might still work in older browser, for example you can put javascript protocol in href attr.

http://ha.ckers.org/xss.html (search for style)

vlscanner
  • 448
  • 5
  • 16