skip to main content
10.1145/1866307.1866376acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Protecting browsers from cross-origin CSS attacks

Published: 04 October 2010 Publication History
  • Get Citation Alerts
  • Abstract

    Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, even if JavaScript is disabled, and propose a client-side defense with little or no impact on the vast majority of web sites. We have implemented and deployed defenses in Firefox, Google Chrome, and Safari. Our defense proposal has also been adopted by Opera.

    References

    [1]
    ]]Alexa. Top Sites. http://www.alexa.com/topsites.
    [2]
    ]]A. Barth. HTTP state management mechanism, 2010. https://datatracker.ietf.org/doc/draft-ietf-httpstate-cookie/.
    [3]
    ]]A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009.
    [4]
    ]]A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.
    [5]
    ]]T. Berners-Lee. WorldWideWeb: Proposal for a HyperText Project, 1990. http://www.w3.org/Proposal.html.
    [6]
    ]]H. Bojinov, E. Bursztein, and D. Boneh. XCS: cross channel scripting and its impact on web applications. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, 2009.
    [7]
    ]]T. Close. Web-key: Mashing with permission. In Web 2.0 Security and Privacy, 2008.
    [8]
    ]]D. Crockford. The application/json media type for JavaScript Object Notation (JSON), 2006. http://tools.ietf.org/html/rfc4627.
    [9]
    ]]Fortify. JavaScript Hijacking Vulnerability Detected. http://www.fortify.com/advisory.jsp.
    [10]
    ]]J. Franks, P. M. Hallam-Baker, J. L. Hostetler, S. D. Lawrence, and P. J. Leach. HTTP authentication, 1999. http://www.ietf.org/rfc/rfc2617.txt.
    [11]
    ]]M. Gillon. Google Desktop Exposed: Exploiting an Internet Explorer vulnerability to phish user information, 2005. http://www.hacker.co.il/security/ie/css_import.html.
    [12]
    ]]D. Goldsmith and M. Davis. UTF-7: A Mail-Safe Transformation Format of Unicode, 1997. http://tools.ietf.org/html/rfc2152.
    [13]
    ]]GreyMagic Software. GreyMagic Security Advisory GM#004-IE, 2002. http://www.greymagic.com/ security/advisories/gm004-ie/.
    [14]
    ]]C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy, 2008.
    [15]
    ]]D. Hyatt, W. Bastian, et al. WebKit, an open source web browser engine, 2005--2010. http://webkit.org/.
    [16]
    ]]C. Jackson. Improving Browser Security Policies. PhD thesis, Stanford University, Stanford, CA, USA, 2009.
    [17]
    ]]C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th International World Wide Web Conference. (WWW 2006), 2006.
    [18]
    ]]D. M. Kristol and L. Montulli. HTTP state management mechanism, 1997. http://www.ietf.org/rfc/rfc2109.txt.
    [19]
    ]]E. Lawrence. IE8 Security Part V: Comprehensive Protection. http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx.
    [20]
    ]]H. W. Lie. Cascading Style Sheets. PhD thesis, University of Oslo, Norway, 2005. http://people.opera.com/howcome/2006/phd/.
    [21]
    ]]T. Oda, G. Wurster, P. C. van Oorschot, and A. Somayaji. SOMA: mutual approval for included content in web pages. In Proceedings of the 15th ACM conference on Computer and communications security, 2008.
    [22]
    ]]ofk. CSSXSS attack on mixi post key, 2008. http://d.hatena.ne.jp/ofk/20081111/1226407593.
    [23]
    ]]J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same-origin.html.
    [24]
    ]]S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In WWW '10: Proceedings of the 19th international conference on World wide web, 2010.
    [25]
    ]]A. van Kesteren et al. Cross-origin resource sharing (editor's draft), 2010. http://dev.w3.org/2006/waf/access-control/.
    [26]
    ]]W3C. CSS syntax and basic data types. http://www.w3.org/TR/CSS2/syndata.html.
    [27]
    ]]W3C. Document Object Model CSS. http://www.w3.org/TR/DOM-Level-2-Style/css.html.
    [28]
    ]]W3C. HTML 4.01 Specification. http://www.w3.org/TR/html4/.
    [29]
    ]]H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principal OS Construction of the Gazelle Web Browser. In Proceedings of the 18th USENIX Security Symposium, 2009.
    [30]
    ]]E. Z. Yang. HTML Purifier, 2006--2010. http://htmlpurifier.org.

    Cited By

    View all
    • (2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
    • (2022)Truth SerumProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560554(2779-2792)Online publication date: 7-Nov-2022
    • (2020)Verification of the IBOS Browser Security Properties in Reachability LogicRewriting Logic and Its Applications10.1007/978-3-030-63595-4_10(176-196)Online publication date: 11-Dec-2020
    • Show More Cited By

    Index Terms

    1. Protecting browsers from cross-origin CSS attacks

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CCS '10: Proceedings of the 17th ACM conference on Computer and communications security
        October 2010
        782 pages
        ISBN:9781450302456
        DOI:10.1145/1866307
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 04 October 2010

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. CSS
        2. content type
        3. same-origin policy

        Qualifiers

        • Research-article

        Conference

        CCS '10
        Sponsor:

        Acceptance Rates

        CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;
        Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

        Upcoming Conference

        CCS '24
        ACM SIGSAC Conference on Computer and Communications Security
        October 14 - 18, 2024
        Salt Lake City , UT , USA

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)25
        • Downloads (Last 6 weeks)5

        Other Metrics

        Citations

        Cited By

        View all
        • (2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
        • (2022)Truth SerumProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560554(2779-2792)Online publication date: 7-Nov-2022
        • (2020)Verification of the IBOS Browser Security Properties in Reachability LogicRewriting Logic and Its Applications10.1007/978-3-030-63595-4_10(176-196)Online publication date: 11-Dec-2020
        • (2018)Large-Scale Analysis of Style Injection by Relative Path OverwriteProceedings of the 2018 World Wide Web Conference10.1145/3178876.3186090(237-246)Online publication date: 10-Apr-2018
        • (2018)Data exfiltrationJournal of Network and Computer Applications10.1016/j.jnca.2017.10.016101:C(18-54)Online publication date: 1-Jan-2018
        • (2017)Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsFinancial Cryptography and Data Security10.1007/978-3-662-54970-4_26(441-459)Online publication date: 17-May-2017
        • (2016)Language design and implementation for the domain of coding conventionsProceedings of the 2016 ACM SIGPLAN International Conference on Software Language Engineering10.1145/2997364.2997386(90-104)Online publication date: 20-Oct-2016
        • (2016)CSP adoptionSecurity and Communication Networks10.1002/sec.16499:17(4557-4573)Online publication date: 25-Nov-2016
        • (2015)EncoreACM SIGCOMM Computer Communication Review10.1145/2829988.278748545:4(653-667)Online publication date: 17-Aug-2015
        • (2015)EncoreProceedings of the 2015 ACM Conference on Special Interest Group on Data Communication10.1145/2785956.2787485(653-667)Online publication date: 17-Aug-2015
        • Show More Cited By

        View Options

        Get Access

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Media

        Figures

        Other

        Tables

        Share

        Share

        Share this Publication link

        Share on social media