Lin-Shung Huang
Zack Weinberg
ABSTRACT
Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, even if JavaScript is disabled, and propose a client-side defense with little or no impact on the vast majority of web sites. We have implemented and deployed defenses in Firefox, Google Chrome, and Safari. Our defense proposal has also been adopted by Opera.
- ]]Alexa. Top Sites. http://www.alexa.com/topsites.Google Scholar
- ]]A. Barth. HTTP state management mechanism, 2010. https://datatracker.ietf.org/doc/draft-ietf-httpstate-cookie/.Google Scholar
- ]]A. Barth, J. Caballero, and D. Song. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009. Google ScholarDigital Library
- ]]A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008. Google ScholarDigital Library
- ]]T. Berners-Lee. WorldWideWeb: Proposal for a HyperText Project, 1990. http://www.w3.org/Proposal.html.Google Scholar
- ]]H. Bojinov, E. Bursztein, and D. Boneh. XCS: cross channel scripting and its impact on web applications. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, 2009. Google ScholarDigital Library
- ]]T. Close. Web-key: Mashing with permission. In Web 2.0 Security and Privacy, 2008.Google Scholar
- ]]D. Crockford. The application/json media type for JavaScript Object Notation (JSON), 2006. http://tools.ietf.org/html/rfc4627.Google Scholar
- ]]Fortify. JavaScript Hijacking Vulnerability Detected. http://www.fortify.com/advisory.jsp.Google Scholar
- ]]J. Franks, P. M. Hallam-Baker, J. L. Hostetler, S. D. Lawrence, and P. J. Leach. HTTP authentication, 1999. http://www.ietf.org/rfc/rfc2617.txt.Google Scholar
- ]]M. Gillon. Google Desktop Exposed: Exploiting an Internet Explorer vulnerability to phish user information, 2005. http://www.hacker.co.il/security/ie/css_import.html.Google Scholar
- ]]D. Goldsmith and M. Davis. UTF-7: A Mail-Safe Transformation Format of Unicode, 1997. http://tools.ietf.org/html/rfc2152. Google ScholarDigital Library
- ]]GreyMagic Software. GreyMagic Security Advisory GM#004-IE, 2002. http://www.greymagic.com/ security/advisories/gm004-ie/.Google Scholar
- ]]C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy, 2008. Google ScholarDigital Library
- ]]D. Hyatt, W. Bastian, et al. WebKit, an open source web browser engine, 2005--2010. http://webkit.org/.Google Scholar
- ]]C. Jackson. Improving Browser Security Policies. PhD thesis, Stanford University, Stanford, CA, USA, 2009. Google ScholarDigital Library
- ]]C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th International World Wide Web Conference. (WWW 2006), 2006. Google ScholarDigital Library
- ]]D. M. Kristol and L. Montulli. HTTP state management mechanism, 1997. http://www.ietf.org/rfc/rfc2109.txt. Google ScholarDigital Library
- ]]E. Lawrence. IE8 Security Part V: Comprehensive Protection. http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx.Google Scholar
- ]]H. W. Lie. Cascading Style Sheets. PhD thesis, University of Oslo, Norway, 2005. http://people.opera.com/howcome/2006/phd/.Google Scholar
- ]]T. Oda, G. Wurster, P. C. van Oorschot, and A. Somayaji. SOMA: mutual approval for included content in web pages. In Proceedings of the 15th ACM conference on Computer and communications security, 2008. Google ScholarDigital Library
- ]]ofk. CSSXSS attack on mixi post key, 2008. http://d.hatena.ne.jp/ofk/20081111/1226407593.Google Scholar
- ]]J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- ]]S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In WWW '10: Proceedings of the 19th international conference on World wide web, 2010. Google ScholarDigital Library
- ]]A. van Kesteren et al. Cross-origin resource sharing (editor's draft), 2010. http://dev.w3.org/2006/waf/access-control/.Google Scholar
- ]]W3C. CSS syntax and basic data types. http://www.w3.org/TR/CSS2/syndata.html.Google Scholar
- ]]W3C. Document Object Model CSS. http://www.w3.org/TR/DOM-Level-2-Style/css.html.Google Scholar
- ]]W3C. HTML 4.01 Specification. http://www.w3.org/TR/html4/.Google Scholar
- ]]H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principal OS Construction of the Gazelle Web Browser. In Proceedings of the 18th USENIX Security Symposium, 2009. Google ScholarDigital Library
- ]]E. Z. Yang. HTML Purifier, 2006--2010. http://htmlpurifier.org.Google Scholar
Index Terms
- Protecting browsers from cross-origin CSS attacks
Recommendations
Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityCross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Dynamic pharming attacks and locked same-origin policies for web browsers
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityWe describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-...
Scriptless attacks: stealing the pie without touching the sill
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityDue to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the ...
Comments