Risks from CSS injection

On Dec 8, 2009, at 7:07 AM, Maciej Stachowiak wrote:

> Another possibility is to specifically blacklist the use of the  
> contents of the "value" attribute in attribute selectors for  
> elements in the HTML namespace. Either all elements, or specifically  
> input elements, or more specifically input elements of type password  
> or hidden.
>
> I think that is better than making attribute selectors not work with  
> those elements at all. People validly use attribute selectors on  
> form controls based on the "type" attribute to style them.

I'd like to backpedal from this proposal for a second so I can  
understand the issue better. Are we worried about:

A) Sites that voluntarily include untrusted CSS (such as user- 
provided) without filtering being exposed to data theft risk.
B) Sites that have inadvertent CSS injection risk (but without the  
possibility of script injection) being exposed to data theft risk.
C) Both.

One thing to keep in mind is that including untrusted CSS is already  
extremely risky. If the attacker can inject CSS (whether willingly or  
not) he or she can do the following:

1) Arbitrarily move around elements on the page.
2) Make any element invisible.
3) Replace the visible contents of elements with chosen images or text.
4) Overlay one element invisibly on top of another.

Using these, you can make the "Delete Account" button look like a  
"Mail me a Free Pony" button. This isn't even counting features like - 
moz-binding or CSS expressions.

Thus, any site doing voluntary injection of CSS must do whitelisting  
to be safe. Any site with inadvertent CSS injection holes is already  
at great risk. This I am not sure it is worth focusing on attribute  
selectors specifically as a CSS-based attack vector. Am I missing  
anything here?

Regards,
Maciej

Received on Tuesday, 8 December 2009 18:55:03 UTC