Last post Apr 13, 2017 06:23 PM by bbcompent1
Apr 13, 2017 06:11 PM|tvb2727|LINK
Can someone tell me if css style sheet paths should be absolute and not relative due to Path-relative style sheet import vulnerabilities?
I have a security finding on a website I work on and it is saying that "The root cause of the vulnerability can be resolved by not using path-relative URLS in style sheet imports.
Here is it currently: <link rel="stylesheet" type="text/css" href="style/root.css"/>
Is this any better? :<link rel="stylesheet" type="text/css" href="style/root.css"/>
Or should it be this:
<link rel="stylesheet" type="text/css" href="https://mydomain.com/style/root.css"/>
I have always done the relative due to going via environments?
Apr 13, 2017 06:23 PM|bbcompent1|LINK
This article had a few ways to harden your CSS security.
According to :
Path-relative style sheet import vulnerabilities arise when the following conditions hold:
1. A response contains a style sheet import that uses a path-relative URL (for example, the page at "/original-path/file.php" might import "styles/main.css").
2. When handling requests, the application or platform tolerates superfluous path-like data following the original filename in the URL (for example, "/original-path/file.php/extra-junk/"). When superfluous data is added to the original URL, the application's response still contains a path-relative stylesheet import.
3. The response in condition 2 can be made to render in a browser's quirks mode, either because it has a missing or old doctype directive, or because it allows itself to be framed by a page under an attacker's control.
4. When a browser requests the style sheet that is imported in the response from the modified URL (using the URL "/original-path/file.php/extra-junk/styles/main.css"), the application returns something other than the CSS response that was supposed to be imported. Given the behavior described in condition 2, this will typically be the same response that was originally returned in condition 1.
5. An attacker has a means of manipulating some text within the response in condition 4, for example because the application stores and displays some past input, or echoes some text within the current URL.
Given the above conditions, an attacker can execute CSS injection within the browser of the target user. The attacker can construct a URL that causes the victim's browser to import as CSS a different URL than normal, containing text that the attacker can manipulate. Being able to inject arbitrary CSS into the victim's browser may enable various attacks, including:
Using CSS selectors to read parts of the HTML source, which may include sensitive data such as anti-CSRF tokens.
Capturing any sensitive data within the URL query string by making a further style sheet import to a URL on the attacker's domain, and monitoring the incoming Referrer header.