Jeroen Beerstra wrote:
> Could somebody please explain to my how to
> test/secure your site from CSS vulnerabilities?
The first best thing you can do is NOT allow user input
characters ("<", ">" , '"', "'") to be echoed to the
browser/screen/output. Remove these characters from
any HTTP request where they aren't needed for
functionality. These 4 characters are the main cause of all
CSS vulnerabilities.
> I understood from Cert's and Apache's explanations
> that the best thing to do is to encode the output of the
> dynamic parts of your site or else install a filter that
> monitors your web servers output. But why encode,
> did I understand it correctly that this way the output is
> interpreted by the browser as text and not as a tag??
Encode, Decode, Unicode, blah... dont matter really. As long
as those characters above can be sent to the screen, there
is a problem.
> And more important how and when do you encode
> your output?
Many Web Apps have many requirements. If your WebApp
does NOT have explicit need for HTML, then remove
those characters above from any user input field. Rid HTML,
you can rid CSS.
(This just rids you of CSS mind you, many other issues
may still exist with this type of modest filtering.)
> And does anybody know a (opensource) filter for
> apache that eliminates malicious strings or is the
> whole CSS security issue to site specific for this?
Im afraid there hasn't been any really good filters for
CSS placed in the public domain (that Ive seen) most
likely for a variety of reason. So, whatever your web
app is, your gonna have to write your own filter. It really
isnt all that hard to strip out 4 characters...so dont sweat it.
as far as CSS testing goes, its important to fully understand
the issue. Here are a couple resource links that should
help you out.
OWASP (Application Security Attack Components)
Cross-Site Scripting
http://www.owasp.org/projects/asac/iv-crosssitescripting.shtml
A talk I have for the Air Force a while ago should help with some
CSS testing.
http://www.whitehatsec.com/afitc2001/index.html
Hope this helps. Good Luck.
Jeremiah Grossman
WhiteHat Security, Inc.
