Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS (No, the _other_ "s") - CSSConf EU 2013

Mike West
September 13, 2013

XSS (No, the _other_ "s") - CSSConf EU 2013

Cross-site scripting attacks are dangerous, and common enough that you're all probably familiar with them. Unfortunately that last word, "scripting", has ensured that our collective understanding of injection attacks remains fundamentally tied up with JavaScript. Cross-site _styling_ is actually more capable than you might expect; it's quite possible to exfiltrate sensitive data (like passwords!) without any script at all. This talk will walk through some of the cleverly malicious activity that CSS makes possible, and discuss some mechanisms for mitigating the risk that your sites and applications might be affected.

Mike West

September 13, 2013
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. XSS. (No, the other "S") Mike West https://mikewest.org G+: mkw.st/+

    Twitter: @mikewest Slides: https://mkw.st/r/cssconfeu13
  2. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}},

    view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->
  3. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com https://www.speakerdeck.com; script-src https://mikewestdotorg.hasacdn.net

    https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; font-src https://mikewestdotorg.hasacdn.net
  4. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src

    ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi
  5. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html",

    "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/img.png", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "http://example.com/script.js", "line-number": 10, "column-number": 11, } }
  6. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clickr">Click me!</button> <a href="#"

    class="clickr">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clickr')) e.addEventListener('click', handleClick); }