Evan Martin (evan) wrote in evan_tech,
Evan Martin

cross-site css xss

I had seen the news about XSS problems in Google Desktop, but had just written them off as some sloppy input verification on the GDS team's part and hadn't given it much thought.

But this page indicates the problem is much more sinister. Briefly, a page can import CSS from another domain using @import, and once you've imported CSS you can access bits of it through JavaScript. Here's the sick part: with IE, when you point the @import at a page that doesn't contain CSS, it tries to do "lenient" parsing of CSS, parsing pretty much anything (?) that occurs after a curly brace. This means that if the data you wanna steal is after a curly and formatted the right way, you can nab it, and it's even easier if the target page displays some URL parameters because then you can influence what's on the page.

My question for you: how do you defend your app against these sorts of attacks?

  • blog moved

    As described elsewhere, I've quit LiveJournal. If you're interested in my continuing posts, you should look at one of these (each contains feed…

  • dremel

    They published a paper on Dremel, my favorite previously-unpublished tool from the Google toolchest. Greg Linden discusses it: "[...] it is capable…

  • treemaps

    I finally wrote up my recent adventures in treemapping, complete with nifty clickable visualizations.

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.