Let's be paranoid about CSS (cascaded style sheet) as an application data integrity attack vector!
nico
Nicolas.Williams at sun.com
Tue Sep 9 16:23:09 EDT 2008
On Tue, Sep 09, 2008 at 01:52:30PM -0500, Thierry Moreau wrote:
> Here is a simple exploit which alters the ietf.org main page. Insert the
> following four lines
>
> [...]
>
> to the file /usr/lib/firefox/res/html.css
>
> [...]
>
> OK, this requires root access because the Linux community is generally
> security-conscious. But you should see the general idea: paranoia leads me
> to think of an adversary who would threatens application integrity (such as
> the above) without leaving much trace of computer system penetration.
>
> [...]
>
> Does anybody have any tip about how to mitigate this vulnerability, with
> minimal assumptions about the client web browser?
As the service provider you have little choice but to assume local
security on the client side IF you want to allow clients that you don't
control (and you don't really have a choice about _that_; most SPs don't
anyways).
I don't see how to mitigate all possible attacks you can imagine that
involve a compromised client.
> The habit of storing css style information in various style sheets files
> separate from the HTML contents is worrysome as each stylesheet retrieval
> operation is a potential attack vector.
You could say the same thing about AJAX, ... This train left the
station long ago, and I was on it then along with everyone else.
Nico
--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list