|
|
| (2 intermediate revisions by 2 users not shown) |
| Line 2: |
Line 2: |
| | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| − | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
| |
| − | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| |
| | | | |
| − | __TOC__{{TOC hidden}}
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Securing_Cascading_Style_Sheets_Cheat_Sheet.html Securing Cascading Style Sheets (CSS) Cheat Sheet] to see the latest version of the cheat sheet. |
| − | | |
| − | = Introduction =
| |
| − | | |
| − | The goal of this “CSS (Not [[XSS (Cross Site Scripting) Prevention Cheat Sheet|XSS]], but [https://www.w3schools.com/css/css_intro.asp Cascading Style Sheet]) Cheat Sheet is to inform Programmers, Testers, Security Analysts, Front-End Developers and anyone who is interested in Web Application Security to use these recommendations or requirements in order to achieve better security when authoring “Cascading Style Sheets.”
| |
| − | | |
| − | Let's demonstrate this risk with an example:
| |
| − | | |
| − | Santhosh is a programmer who works for a company called “X” and authors a Cascading Style Sheet to implement styling of the web application. The application for which he is writing CSS Code has various roles like “Student”, “Teacher”, “Super User” & “Administrator” and these roles have different permissions (PBAC - [[Access Control Cheat Sheet|Permission Based Access Control]]) and Roles (RBAC - [[Access Control Cheat Sheet|Role Based Access Control]]). Not only do these roles have different access controls, but these roles could also have different styling for webpages that might be specific to an individual or group of roles.
| |
| − | | |
| − | Santhosh thinks that it would a great optimized idea to create a “global styling” css file which has all the CSS styling/selectors for all of the roles. According to their role, a specific feature or user interface element will be rendered. For instance, Administrator will have different features compared to “Student” or “Teacher” or “SuperUser”. However, some permissions or features maybe common to some roles.
| |
| − | | |
| − | Example: Profile Settings will be applicable to all the users here while “Adding Users” or “Deleting Users” is only applicable for “Administrator”.
| |
| − | | |
| − | Example:
| |
| − | * .login
| |
| − | * .profileStudent
| |
| − | * .changePassword
| |
| − | * .addUsers
| |
| − | * .deleteUsers
| |
| − | * .addNewAdmin
| |
| − | * .deleteAdmin
| |
| − | * .exportUserData
| |
| − | * .exportProfileData
| |
| − | * ...
| |
| − | | |
| − | Now, let’s examine what are the risks associated with this style of coding.
| |
| − | | |
| − | == Risk #1 ==
| |
| − | Motivated Attackers always take a look at <code>*.CSS</code> files to learn the features of the application even without being logged in.
| |
| − | | |
| − | For instance: Jim is a motivated attacker and always tries to look into CSS files from the View-Source even before other attacks. When Jim looks into the CSS file, he sees that there are different features and different roles based on the CSS selectors like <code>.profileSettings, .editUser, .addUser, .deleteUser</code> and so on. Jim can use the CSS for intel gathering to help gain access to sensitive roles.This isa form of attacker due diligence even before trying to perform dangerous attacks to gain access to the web application.
| |
| − | | |
| − | In a nutshell, having global styling could reveal sensitive information that could be beneficial to the attacker.
| |
| − | | |
| − | == Risk #2 ==
| |
| − | Let’s say, Santhosh has this habit of writing the descriptive selector names like <code>.profileSettings, exportUserData, .changePassword, .oldPassword, .newPassword, .confirmNewPassword</code> etc. Good programmers like to keep code readable and usable by other Code Reviewers of the team. The risk is that attackers could map these selectors to actual features of a web application.
| |
| − | | |
| − | = Defensive Mechanisms to Mitigate Attacker’s Motivation =
| |
| − | | |
| − | == Defense Mechanism ==
| |
| − | As a CSS Coder / Programmer, always keep the CSS isolated by access control level. By this, it means '''Student''' will have a different CSS file called as <code>StudentStyling.CSS</code> while '''Administrator''' has <code>AdministratorStyling.CSS</code> and so on. Make sure these <code>*.CSS</code> files are accessed only for a user with the proper access control level. Only users with the proper access control level should be able to access their <code>*.CSS</code> file.
| |
| − | | |
| − | If an authenticated user with the '''Student''' Role tries to access <code>AdministratorStyling.CSS</code> through forced browsing, an alert that an intrusion is occurring should be recorded.
| |
| − | | |
| − | == Defense Mechanism #2 ==
| |
| − | | |
| − | Being a programmer or a tester, take care of the naming conventions of your CSS (Cascading Style Sheet) Selectors. Obfuscate the selector names in such a fashion that attackers are not informed what a specific selector is linking to.
| |
| − | | |
| − | Example: CSS Selectors for <code>addUser, addAdmin, profileSettings, changePassword</code> could be named <code>aHj879JK, bHjsU, ahkrrE, lOiksn</code> respectively. These names could be randomly generated per user as well.
| |
| − | | |
| − | This [https://www.npmjs.com/package/rename-css-selectors NPM package] can be used to perform the renaming of the CSS selector.
| |
| − | | |
| − | == Defense Mechanism #3 ==
| |
| − | | |
| − | If your web application sends some styling via JSON request in specific features for various reasons, then make sure that the properties and values are not tampered with and also reject anything that appears to be suspicious or anything that is out of your whitelist. This attack may work even when you have escaped characters, or done input encoding and output encoding.
| |
| − | | |
| − | Example: Someone may just tamper with the request body of a specific feature and edit the styling to create an attack where height or width can be changed to make it look like fullpage & also every part of the webpage is clickable which will redirect the users to malicious websites which will inturn have multitude of attacks.
| |
| − | | |
| − | You can read about how [https://www.scmagazineuk.com/style-sheet-vulnerability-allowed-attacker-hijack-linkedin-pages/article/1479529 LinkedIn] had a vulnerability through Cascading Style Sheet which was fixed once reported.
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Santhosh Tuppad - https://www.linkedin.com/in/santhosh-tuppad-338b7412/
| |
| − | | |
| − | = Other Cheatsheets =
| |
| − | {{Cheatsheet_Navigation_Body}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
| − | [[Category:Popular]]
| |
| − | |}
| |
