April 3rd, 2006

  • evan

cross-site css xss

I had seen the news about XSS problems in Google Desktop, but had just written them off as some sloppy input verification on the GDS team's part and hadn't given it much thought.

But this page indicates the problem is much more sinister. Briefly, a page can import CSS from another domain using @import, and once you've imported CSS you can access bits of it through JavaScript. Here's the sick part: with IE, when you point the @import at a page that doesn't contain CSS, it tries to do "lenient" parsing of CSS, parsing pretty much anything (?) that occurs after a curly brace. This means that if the data you wanna steal is after a curly and formatted the right way, you can nab it, and it's even easier if the target page displays some URL parameters because then you can influence what's on the page.

My question for you: how do you defend your app against these sorts of attacks?