Menu
I'm working on a site that customers will use by embedding it in an iframe in their site. I want to give them the ability to customize the styling of the contents so they can make it fit in with the styles of their site.
The basic idea I have is to let them give me the URL to a CSS file I should include in the page I serve to them to fill the iframe. As far as I know this is safe, but I'm not particularly familiar with CSS (especially the newer versions), so I want to verify this.
Is there any way someone could construct a CSS file that would let them inject code into my site or otherwise gain access to things like my domain's cookies? Is this really safe, or do I need to come up with a different solution?
708
With the recent upgrades to the CSS language, CSS code has become a powerful tool that could be abused to track users on websites, extract and steal data from a web page, collect data entered inside form fields (including passwords), and even deanonymize Dark Web users in some scenarios.
When you try to open the external CSS file in a browser, the browser cannot open the file, because the file has a different extension. The only way to use an external CSS file is to reference it using tag within another HTML document.
Summary. A CSS Injection vulnerability involves the ability to inject arbitrary CSS code in the context of a trusted web site which is rendered inside a victim's browser. The impact of this type of vulnerability varies based on the supplied CSS payload. It may lead to cross site scripting or data exfiltration.
No it is unsafe. expression and -moz-binding are known ways to cause arbitrary script execution on certain browsers via CSS. LiveJournal suffered a very public XSS attack that was due to JavaScript embedded in user-supplied CSS.
With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS, there is no other viable solution than the one we have undertaken.
From Caja's attack vector wiki:
Crafted CSS stylesheets can execute unsanitized javascript in the global scope on some browsers.
Background
CSS includes several mechanisms for changing the surrounding markup and executing expressions.
IE has an extension that allows execution of arbitrary javascript. The
expressionproperty is described at http://msdn2.microsoft.com/en-us/library/ms537634.aspxUsing the power of dynamic properties, it is now possible to declare property values not only as constants, but also as formulas. ... For scripting, a dynamic property can be any legal JScript or Microsoft Visual Basic Scripting Edition (VBScript) statement. http://msdn2.microsoft.com/en-us/library/ms533503.aspx
bindingallows binding to externally specified scripts http://developer.mozilla.org/en/docs/CSS:-moz-binding & http://developer.mozilla.org/en/docs/XBL:XBL_1.0_Reference:Elements#binding
-moz-bindingallows binding via the XML interface (also using data: URLs)Assumptions
Untrusted code can generate style elements or style attributes or otherwise add arbitrary CSS rules and create DOM elements that trigger those rules.
Versions
IE 5 and later (but not IE 8 or later in "standards mode").
Mozilla/Firefox, versions not known.
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
