All geek questions in one place

Is cross-domain attack possible through style sheet?

I need to implement a flexible style system for web pages created by users of my web application.

Ideally, I would like to let them use CSS. Does a stylesheet associate with a user-defined URL Bad idea ? What for? Can this be done safely?

What will be your approach to this? I am trying to avoid creating an editor style. Although shelf use might be an option, suggestions?

+6
source share
2 answers

Can this be done safely?

Depending on how you define "safe." An external style sheet can make things look ugly or play tricks with existing controls on the site. You cannot prevent this, as it will be impossible to detect. Here is a good overview of the malicious things that can be done in this way.

In addition, it is obvious that CSS can initiate requests to any URL by setting a background-image or similar. The browser will notice that the URL is not a valid image resource, but the request will always be executed. Thus, it is possible to provoke a password request in order to understand that the site user may mistakenly accept his own login invitation.

I don’t know about any CSS attack scripts, although I’m sure that IE behavior can be one, I would definitely separate them.

There is a question about stack overflow , but none of the vulnerabilities mentioned in the accepted answer work with clean external style sheets.

+5
source

Yes. It could be a vector. This bit is livejournal .

LiveJournal contains a flaw that allows attacking remote cross-site scripts. This flaw exists because the application does not check CSS style attributes in the '/cgi-bin/cleanhtml.pl' script before saving. This can allow the user to create a specially crafted URL that will execute arbitrary code in the user’s browser as part of a trust relationship between the browser and the server, which will result in a loss of integrity. Read more at osvdb.org/21896

The Caja Attack Vectors Wiki explains how expression and moz-binding and similar mechanisms can allow arbitrary code execution.

the effect

Created CSS stylesheets can execute non-mock javascript in global scope in some browsers.

...

Version

IE 5 and later (but not IE 8 or later in "standard mode").

Mozilla / Firefox, versions unknown.

Example

 <div id='oDiv' style='left:expression(alert("hello"), 0)'> Example DIV </div> node.style.cssText = 'left:expression(alert("hello"), 0)'; <input style='-moz-binding: url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox");'> div { -moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%0A%3Cbindings%20id%3D%22xbltestBindings%22%20xmlns%3D%22http%3A//www.mozilla.org/xbl%22%3E%0A%20%20%3Cbinding%20id%3D%22xbltest%22%3E%3Ccontent%3EPASS%3C/content%3E%3C/binding%3E%0A%3C/bindings%3E%0A); } node.style.MozBinding = 'url("http://www.mozilla.org/xbl/htmlBindings.xml#checkbox")'; <ul> <li style="behavior:url(a1.htc) url(a2.htc)">List Item</li> </ul>

Can this be done safely?

Yes. You can use whitelisted CSS properties and cross out anything that you don't think is safe.

Caja defines whitelists in JSON format that allow the use of a large subset of CSS, prohibiting those that can execute code.

+4
source

Source: https://habr.com/ru/post/910196/

More articles:


All Articles