Evan Martin (evan) wrote in evan_tech,
Evan Martin

cross-site css xss

I had seen the news about XSS problems in Google Desktop, but had just written them off as some sloppy input verification on the GDS team's part and hadn't given it much thought.

But this page indicates the problem is much more sinister. Briefly, a page can import CSS from another domain using @import, and once you've imported CSS you can access bits of it through JavaScript. Here's the sick part: with IE, when you point the @import at a page that doesn't contain CSS, it tries to do "lenient" parsing of CSS, parsing pretty much anything (?) that occurs after a curly brace. This means that if the data you wanna steal is after a curly and formatted the right way, you can nab it, and it's even easier if the target page displays some URL parameters because then you can influence what's on the page.

My question for you: how do you defend your app against these sorts of attacks?

  • dremel

    They published a paper on Dremel, my favorite previously-unpublished tool from the Google toolchest. Greg Linden discusses it: "[...] it is capable…

  • google ime

    Japanophiles might be interested to learn that Google released a Japanese IME. IME is the sort of NLP problem that Google is nearly uniquely…

  • ghc llvm

    I read this thesis on an LLVM backend for GHC, primarily because I was curious to learn more about GHC internals. The thesis serves well as an…

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.