CSS Cross-Origin Attacks

by Andrew N

CSS Cross-Origin Attacks



Cross-origin attacks are when an attacker inserts their scripting into an existing block of code and is able to extract private information through luring the end user to basically give them the information. They can do this through various ways such as luring you to one of their websites or send e-mails that can activate the extraction. All browsers a susceptible to such attacks. The attackers are actually very limited to what they can do. They are mainly trying to get you to make the wrong decision by luring you to click on an extraction link which is actually a site on their web server where they can request for the code block that has been compromised by their string injection. Cookies are a present threat because they store valuable information and without them attackers are helpless. Attackers are also limited by the structure and behavior of the site as well, such as, insufficient injection points, quotes, line breaks, character escapes. These have to be replicated exactly by the attacker or it will not work. Example of an attack would be Yahoo! Mail where the attacker can send mail to lure you into clicking on their site and as it loads, it also pulls from their injection strings your information.

In my opinion, this is a big hole in the website world because a dedicated attacker would be able to get through anything if no action is taken. I agree that having stricter rules and designs will help deter these types of attacks but when would it be taken into consideration? So far, personally I have not experienced anything of this nature myself, but I have had friends that have had their credit card information stolen somehow. I find that as technology progresses it also beings along the side effects which need to be sought after as well which is security.

Although defenses have been set into place attackers have been able to by pass it, so when it comes down to the bottom line it is up to the design to put in place stricter security measures. These attacks have been known for awhile now and as time goes along many browsers have adopted stricter defense in terms of loading and parsing content. I have not witness any types of hacking from each browser but that is because I haven’t been exposed to it yet.

Huang, L., Weinberg, Z., Evan, C., & Jackson, C. (2010). Protecting browsers from cross-origin css attacks. Retrieved from
http://0-delivery.acm.org.opac.library.csupomona.edu/10.1145/1870000/1866376/p619-huang.pdf?ip= SERVICE&CFID=50275124&CFTOKEN=61939566&__acm__=1319394306_fef2e51e7463d7ac5d024c323100e082