June 30, 2020
By vaibhav.kothia@gmail.com
- Learning the basics of creating a CSS (cascading style sheet) to separate the style of content from your websites is great. By creating only a few files, you can define the appearance and layout of a site and easily change them once you are bored. Indeed, this ability to disconnect the coding of the aesthetics of a site from the HTML database means that it is much easier to change page elements on the fly. However, this ability to separate and store code in external .CSS files presents security risks. Although there are potential holes in various aspects of a website or web application, CSS injections have become a common problem for unprotected sites. Indeed, if you check the top ten OWASP threats for 2017, injections are at the top of the list above the exposure of sensitive data.
- Cross-site scripting is also in the top ten, which is another consequence of your site not being protected against CSS injections. These attacks often target a vulnerable application programming interface (API). Simply put, an API is a software intermediary that allows applications to communicate. Problems arise when developers do not follow API security protocols, such as traffic filtering based on authentication and authorization. For most website developers / owners, the simple solution to cross-site scripting attacks is a web application firewall (WAF). These programs will monitor and filter data moving between applications during an attack to block any malicious software.
- However, as useful as WAFs prevent cross-site scripting from infecting HTML and JavaScript coding, CSS vulnerabilities can leave the door open for this type of attack. As Mike Gualtieri previously demonstrated, it is possible to exfiltrate data from a user’s browser using CSS injections. Although relatively complex, Gualtieri was able to use attribute selectors (a CSS feature that allows you to define the style of HTML elements with certain attributes) to inject outgoing requests into the code and extract information. While the way to steal data from Gualtieri is a method that only experienced hackers can successfully execute, the threat is there.
- What this tells us as future CSS coders is that security is always an issue. No matter how complex or simple your website is, there is no room for error when it comes to sloppy code. The best way to prevent CSS injections is to scan your code with a fine-tooth comb and look for any omissions or errors. Beyond that, using a vulnerability scanner will detect anything you may have missed. Also, contextual disinfection, where you use different coding for different situations, should become standard practice.
- Finally, implementing an appropriate Content Security Policy (CSP) will help eliminate any weaknesses you may have missed. Basically, by restricting where images and stylesheets can be loaded (i.e. the user’s browser will only load stylesheets from your domain / trusted third parties), you can block many CSS injection attacks. Of course, as is often the case, security is not the business of one and it is done. As things evolve and criminals find new ways to work around them, you need to stay active and make sure you are always up to date with the latest security trends.
Leave A Comment