[OpenAjaxSecurity] Using .CSS as payload for secure cross site communication

Alex Russell alex at dojotoolkit.org
Sat Sep 29 17:53:31 PDT 2007


In the common case, this technique should work, however IE allows 
embedding of script into CSS documents through the "expression()". 
Should any of the rule names match real elements, and the "payloads" be 
improperly escaped, potential code execution is possible.

Secondly, unlike <script> tag inclusion, it's possible for other scripts 
on a page to introspect the returned content through rule iteration 
which means that if evil.com inserts good.css from good.com and the 
cookies mesh, evil.com can still enumerate all of the data from 
good.css.

Regards
	

On Saturday 29 September 2007 11:26 am, Gideon Lee wrote:
> Folks,
>
> This is the idea I talked about in my last response to Sumeer on the
> discussion os SMash.  For those who somehow have not got that email:
> essentially, the hack can summarized as a secure interim replacement
> for JSON using css as payload, before HTML5 gives us secure
> cross-site communication.  For the purpose of SMash (which too can be
> seen as a secure mashup enabler until something like that appear
> natively in the browsers), this can complement as a data performance
> helper.  The reason is that most web widgets receive data from a
> server anyway.  So we can use SMash to do the initial communication,
> and this to pump large data payload across domain.  This proposal can
> also be used as basis for an alternative transport to XHR for the
> server-side hub work which Greg Wilkins is leading.
>
> Even though it works on the few browsers I tested, I'm not absolutely
> sure if it addresses all security issues. I'd appreciate thoughts
> from all of you.  Thank you very much.
>
> Gideon Lee
> OpenSpot

-- 
Alex Russell
alex at sitepen.com     A99F 8785 F491 D5FD 04D7 ACD9 4158 FFDF 2894 6876
alex at dojotoolkit.org BE03 E88D EABB 2116 CC49 8259 CF78 E242 59C3 9723
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070929/fcc7c8f2/attachment.bin 


More information about the security mailing list