Protecting browsers from cross-origin CSS attacks

13 years 4 months ago

Download websec.sv.cmu.edu

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, even if JavaScript is disabled, and propose a client-side defense with little or no impact on the vast majority of web sites. We have implemented and deployed defenses in Firefox, Google Chrome, and Safari. Our defense proposal has also been adopted by Opera. Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection General Terms Security Keywords CSS, Content Type, Same-Origin Policy

Lin-Shung Huang, Zack Weinberg, Chris Evans, Colli

Real-time Traffic

CCS 2010 | Cross-origin CSS | Security Privacy | Style Sheet Import | XSS Defenses |

claim paper

» Protecting browsers from dns rebinding attacks

» Forcehttps protecting highsecurity web sites from network attacks

» Web Browser History Detection as a RealWorld Privacy Threat

» Protecting Users Against Phishing Attacks with AntiPhish

» Securing Frame Communication in Browsers

» HProxy ClientSide Detection of SSL Stripping Attacks

» Privacypreserving browserside scripting with BFlow

» Custom Plugin A Solution to Phishing and Pharming Attacks

Post Info
More Details (n/a)

Added	06 Dec 2010
Updated	06 Dec 2010
Type	Conference
Year	2010
Where	CCS
Authors	Lin-Shung Huang, Zack Weinberg, Chris Evans, Collin Jackson

Comments (0)

Sciweavers

Protecting browsers from cross-origin CSS attacks

CCS 2010 | Cross-origin CSS | Security Privacy | Style Sheet Import | XSS Defenses |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers