RE: CSS, CSS & let me give you some more CSS

[Marc Slemko <marcs () znep com>]

On Fri, 1 Feb 2002, Brian McWilliams wrote:

> At 03:09 PM 1/31/2002, Joe Harrison wrote:
> > I can't help feel the importance of these cross-site-scripting attacks is
> > over-emphasised.
>
> As others have pointed out, CSS bugs can be used to do some pretty 
> interesting things.
>
> FYI, the source De Vitry injected into the news site pages is here: 
> http://devitry.com/mon

More interesting are cases where you can actually inject it into a cookie
that the site uses to make it persist.

Rare perhaps, but it has a good history because Microsoft themself created
a good demo of this exact technique a couple of years back when they first
brought forward the "new age" of CSS (which resulted in the CERT
advisory)... was an exploit that set a msnbc.com cookie that made the news
story on the msnbc.com home page (either that or some other msn news site,
would have to check my notes) be a bogus attacker-specified story, even if
you went back there by entering "http://www.msnbc.com/"; directly or closed
and restarted your browser before returning.

There are a lot of issues.  Many of them are fairly low risk.  But it is
important that people don't get tricked into thinking they are all low
risk, since this is a massive issue.  IMHO, one of the biggest ongoing
issues with the deployment of web based applications.