Gingechilla Posted February 24, 2011 Share Posted February 24, 2011 Hello, I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted February 24, 2011 Share Posted February 24, 2011 MySpace was hacked using a method of niserting javascript into a style tag on a profile page. This is basically what a CSS file is. And mainly internet explorer clients will have the vulnerability (of course..). Also, some websites apparently Parse .css files like .php (so you acn write php code inside the CSS file itself). http://ha.ckers.org/xss.html A good reference to know what types of attacks people can use. Should get some ideas on how to defend against such attacks. But I would highly discourage any completely user-written CSS files unless you have better html security and control than myspace did when it got hacked . The only other thing would be to to never let the SCS files be loaded by a browser and only included and displayed in plain text (like a user-repository of CSS files) - and/or - only let the user that created the CSS file actually use it - then they could only hack themselves . Basically, unless you do some serious research into this matter i would advise against it, especially if it's not an especially needed/wanted feature . Good luck though, hope this helps Quote Link to comment Share on other sites More sharing options...
Gingechilla Posted February 24, 2011 Author Share Posted February 24, 2011 Hmm I guess they would only be hacking themselves though? I mean, if I give each user their own hosting account through my reseller hosting, and they can only use the style sheet on one page of their website, which doesn't link to any other user account... it should be fine? PS: I'm building like a profile page for each user which is separated from others by different hosting accounts. PPS: Oh and people who view the page are the general public and not logged into anything. ------ PPPS: I just copied every single code off the http://ha.ckers.org/xssAttacks.xml site and out in in my style sheet. No pop-ups or anything. Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted February 24, 2011 Share Posted February 24, 2011 I go to your site and create a sub-domain. I create a CSS file with hacks attached to it. Now, if Joe Public comes over and views this XSS stylesheet they are vulnerable to attacks from that sub-domain, eg, I could write some java code that implements a secuirty vulnerability in an older browser that could potentially upload a virus or worse to "joe public". Your website *might* be ok, depending on how each browser (and old ones of course) controls cookie-domains, some will only allow the current domain/sub domain access to cookies it recieves from it, some i bet are a little more leniant by letting a sub-domain set a cookie for the whole domain, or let a sub-domain view cookies from a whole domain. either way, I think you see my point . I would highly encourage a set of "pre-defined" css layouts that can be "modified", like changing colors, etc. So basically you would have CSS "template" layouts, with a default/generic color/image scheme. The user would choose one. Then the user could go to a CSS Edit page, and select colors for certain parts of the CSS, and put images in etc. This way you could santize all the input properly, and prevent any "hacking" in the CSS as the user only has access to field "values" and it should be sanitized. hope this helps Quote Link to comment Share on other sites More sharing options...
Gingechilla Posted February 24, 2011 Author Share Posted February 24, 2011 I guess I get it. I mean I'm only aiming for 300 users so if a user wanted their own personalised template I could check through their code first. Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted February 24, 2011 Share Posted February 24, 2011 You could also create a "whitelist" of characters that should be used in the CSS (a-z, 0-9, ; : - brackets etc...) and then a blacklist for dissallowed words like javascript: etc, but this would be difficult to know for sure that it is 100% safe against CSS java hacks. Also, going over 300 CSS files will be a pain . hope this helps Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.