W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Risks from CSS injection

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 8 Dec 2009 17:15:02 -0800
Message-ID: <7789133a0912081715y779c85afy1344b90d222f2646@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: gaz Heyes <gazheyes@gmail.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Tue, Dec 8, 2009 at 10:54 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> Thus, any site doing voluntary injection of CSS must do whitelisting to be
> safe. Any site with inadvertent CSS injection holes is already at great
> risk. This I am not sure it is worth focusing on attribute selectors
> specifically as a CSS-based attack vector. Am I missing anything here?

You seem to be equating the severity of attacks the require user
interaction with attacks that require no user interaction.  Attacks
that require no user interaction are at least an order of magnitude
more severe.  For example, click-through rates on advertisements are
typically around 1%, so an attack that I can run in an advertisement's
iframe is likely to be 100x more successful than one that requires the
user to click on the ad.

Adam
Received on Wednesday, 9 December 2009 01:16:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT