W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: Daniel Glazman <daniel@glazman.org>
Date: Tue, 08 Dec 2009 20:10:38 +0100
Message-ID: <4B1EA4AE.6030209@glazman.org>
To: Maciej Stachowiak <mjs@apple.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Maciej Stachowiak wrote:

> 1) Arbitrarily move around elements on the page.
> 2) Make any element invisible.
> 3) Replace the visible contents of elements with chosen images or text.
> 4) Overlay one element invisibly on top of another.
> 
> Using these, you can make the "Delete Account" button look like a "Mail 
> me a Free Pony" button. This isn't even counting features like 
> -moz-binding or CSS expressions.
> 
> Thus, any site doing voluntary injection of CSS must do whitelisting to 
> be safe. Any site with inadvertent CSS injection holes is already at 
> great risk. This I am not sure it is worth focusing on attribute 
> selectors specifically as a CSS-based attack vector. Am I missing 
> anything here?

I don't think so. You covered most issues related to CSS if you except
the following one : you can make an element almost invisible using the
same color for background and foreground.

</Daniel>
Received on Tuesday, 8 December 2009 19:11:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT