research-article

Protecting browsers from cross-origin CSS attacks

Authors:

Lin-Shung Huang,

Chris Evans, and

Collin JacksonAuthors Info & Claims

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

October 2010

Pages 619 - 629

https://doi.org/10.1145/1866307.1866376

Published: 04 October 2010 Publication History

Abstract

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, even if JavaScript is disabled, and propose a client-side defense with little or no impact on the vast majority of web sites. We have implemented and deployed defenses in Firefox, Google Chrome, and Safari. Our defense proposal has also been adopted by Opera.

References

[1]

]]Alexa. Top Sites. http://www.alexa.com/topsites.

[2]

]]A. Barth. HTTP state management mechanism, 2010. https://datatracker.ietf.org/doc/draft-ietf-httpstate-cookie/.

[3]

]]A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009.

Digital Library

[4]

]]A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.

Digital Library

[5]

]]T. Berners-Lee. WorldWideWeb: Proposal for a HyperText Project, 1990. http://www.w3.org/Proposal.html.

[6]

]]H. Bojinov, E. Bursztein, and D. Boneh. XCS: cross channel scripting and its impact on web applications. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, 2009.

Digital Library

[7]

]]T. Close. Web-key: Mashing with permission. In Web 2.0 Security and Privacy, 2008.

[8]

]]D. Crockford. The application/json media type for JavaScript Object Notation (JSON), 2006. http://tools.ietf.org/html/rfc4627.

[9]

]]Fortify. JavaScript Hijacking Vulnerability Detected. http://www.fortify.com/advisory.jsp.

[10]

]]J. Franks, P. M. Hallam-Baker, J. L. Hostetler, S. D. Lawrence, and P. J. Leach. HTTP authentication, 1999. http://www.ietf.org/rfc/rfc2617.txt.

[11]

]]M. Gillon. Google Desktop Exposed: Exploiting an Internet Explorer vulnerability to phish user information, 2005. http://www.hacker.co.il/security/ie/css_import.html.

[12]

]]D. Goldsmith and M. Davis. UTF-7: A Mail-Safe Transformation Format of Unicode, 1997. http://tools.ietf.org/html/rfc2152.

Digital Library

[13]

]]GreyMagic Software. GreyMagic Security Advisory GM#004-IE, 2002. http://www.greymagic.com/ security/advisories/gm004-ie/.

[14]

]]C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy, 2008.

Digital Library

[15]

]]D. Hyatt, W. Bastian, et al. WebKit, an open source web browser engine, 2005--2010. http://webkit.org/.

[16]

]]C. Jackson. Improving Browser Security Policies. PhD thesis, Stanford University, Stanford, CA, USA, 2009.

Digital Library

[17]

]]C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th International World Wide Web Conference. (WWW 2006), 2006.

Digital Library

[18]

]]D. M. Kristol and L. Montulli. HTTP state management mechanism, 1997. http://www.ietf.org/rfc/rfc2109.txt.

Digital Library

[19]

]]E. Lawrence. IE8 Security Part V: Comprehensive Protection. http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx.

[20]

]]H. W. Lie. Cascading Style Sheets. PhD thesis, University of Oslo, Norway, 2005. http://people.opera.com/howcome/2006/phd/.

[21]

]]T. Oda, G. Wurster, P. C. van Oorschot, and A. Somayaji. SOMA: mutual approval for included content in web pages. In Proceedings of the 15th ACM conference on Computer and communications security, 2008.

Digital Library

[22]

]]ofk. CSSXSS attack on mixi post key, 2008. http://d.hatena.ne.jp/ofk/20081111/1226407593.

[23]

]]J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same-origin.html.

[24]

]]S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In WWW '10: Proceedings of the 19th international conference on World wide web, 2010.

Digital Library

[25]

]]A. van Kesteren et al. Cross-origin resource sharing (editor's draft), 2010. http://dev.w3.org/2006/waf/access-control/.

[26]

]]W3C. CSS syntax and basic data types. http://www.w3.org/TR/CSS2/syndata.html.

[27]

]]W3C. Document Object Model CSS. http://www.w3.org/TR/DOM-Level-2-Style/css.html.

[28]

]]W3C. HTML 4.01 Specification. http://www.w3.org/TR/html4/.

[29]

]]H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principal OS Construction of the Gazelle Web Browser. In Proceedings of the 18th USENIX Security Symposium, 2009.

Digital Library

[30]

]]E. Z. Yang. HTML Purifier, 2006--2010. http://htmlpurifier.org.

Cited By

Noman HAbu-Sharkh O(2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
https://doi.org/10.3390/s23136067
Tramèr FShokri RSan Joaquin ALe HJagielski MHong SCarlini NYin HStavrou ACremers CShi E(2022)Truth SerumProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560554(2779-2792)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560554
Skeirik SMeseguer JRocha C(2020)Verification of the IBOS Browser Security Properties in Reachability LogicRewriting Logic and Its Applications10.1007/978-3-030-63595-4_10(176-196)Online publication date: 11-Dec-2020
https://doi.org/10.1007/978-3-030-63595-4_10
Show More Cited By

Index Terms

Protecting browsers from cross-origin CSS attacks
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Read More
Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Read More
Scriptless attacks: stealing the pie without touching the sill
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

October 2010

782 pages

ISBN:9781450302456

DOI:10.1145/1866307

General Chair:
Ehab Al-Shaer
University of North Carolina, Charlotte, USA
,
Program Chairs:
Angelos D. Keromytis
Columbia University, USA
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 October 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '10

Sponsor:

SIGSAC

CCS '10: 17th ACM Conference on Computer and Communications Security 2010

October 4 - 8, 2010

Illinois, Chicago, USA

Acceptance Rates

CCS '10 Paper Acceptance Rate 55 of 325 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
1,118
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)5

Other Metrics

View Author Metrics

Citations

Cited By

Noman HAbu-Sharkh O(2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
https://doi.org/10.3390/s23136067
Tramèr FShokri RSan Joaquin ALe HJagielski MHong SCarlini NYin HStavrou ACremers CShi E(2022)Truth SerumProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560554(2779-2792)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560554
Skeirik SMeseguer JRocha C(2020)Verification of the IBOS Browser Security Properties in Reachability LogicRewriting Logic and Its Applications10.1007/978-3-030-63595-4_10(176-196)Online publication date: 11-Dec-2020
https://doi.org/10.1007/978-3-030-63595-4_10
Arshad SMirheidari SLauinger TCrispo BKirda ERobertson WChampin PGandon FMédini LLalmas MIpeirotis P(2018)Large-Scale Analysis of Style Injection by Relative Path OverwriteProceedings of the 2018 World Wide Web Conference10.1145/3178876.3186090(237-246)Online publication date: 10-Apr-2018
https://dl.acm.org/doi/10.1145/3178876.3186090
Ullah FEdwards MRamdhany RChitchyan RBabar MRashid A(2018)Data exfiltrationJournal of Network and Computer Applications10.1016/j.jnca.2017.10.016101:C(18-54)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.jnca.2017.10.016
Arshad SKharraz ARobertson W(2017)Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsFinancial Cryptography and Data Security10.1007/978-3-662-54970-4_26(441-459)Online publication date: 17-May-2017
https://doi.org/10.1007/978-3-662-54970-4_26
Goncharenko BZaytsev VStorm TBalland EVarro D(2016)Language design and implementation for the domain of coding conventionsProceedings of the 2016 ACM SIGPLAN International Conference on Software Language Engineering10.1145/2997364.2997386(90-104)Online publication date: 20-Oct-2016
https://dl.acm.org/doi/10.1145/2997364.2997386
Ying MLi S(2016)CSP adoptionSecurity and Communication Networks10.1002/sec.16499:17(4557-4573)Online publication date: 25-Nov-2016
https://dl.acm.org/doi/10.1002/sec.1649
Burnett SFeamster N(2015)EncoreACM SIGCOMM Computer Communication Review10.1145/2829988.278748545:4(653-667)Online publication date: 17-Aug-2015
https://dl.acm.org/doi/10.1145/2829988.2787485
Burnett SFeamster NUhlig SMaennel OKarp BPadhye J(2015)EncoreProceedings of the 2015 ACM Conference on Special Interest Group on Data Communication10.1145/2785956.2787485(653-667)Online publication date: 17-Aug-2015
https://dl.acm.org/doi/10.1145/2785956.2787485
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents