I know that javascript files can contain malware. However, I am not so sure about CSS files. They only affect how the page is displayed, right? I know that css files can be used for clickjacking but I cannot imagine how they can be used to infect someone. How can a css file be used to compromise a machine? Are there any examples of malware/exploits using CSS files? Any pointers would be helpful. Thanks!
Asked
Active
Viewed 8,194 times
8
-
Maybe specify what types of malware or threats you are expecting to see? – Matthew Peters Oct 01 '14 at 15:07
-
3It isn't malware, specifically, but there are attacks that can be mounted using only HTML and CSS. Demoed: [Scriptless Attacks: Stealing the Pie Without Touching the Sill](http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1203) – Xander Oct 01 '14 at 18:20
-
See http://security.stackexchange.com/q/37832/971, http://security.stackexchange.com/q/42527/971, and http://security.stackexchange.com/q/36629/971 -- the answers there answer your question. (You could have found at least one of these on your own by clicking on the `tag:css` tag and looking through the half-dozen questions that come up. In the future you might want to consider spending a bit more time browsing through other questions here.) – D.W. Oct 01 '14 at 21:33
3 Answers
8
Yes: CSS can contain malware, though in my experience, its usually been tied to a vulnerability, e.g. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3971
As far as it containing JavaScript, that's certainly a vector, though successful exploitation should generally be limited by vulnerabilities within the Browser, the OS and the JavaScript engine. Vulnerable ActiveX controls are a factor as well in such scenarios.
W1T3H4T
- 338
- 1
- 6
-
-
Yup, great link! @SteveDL - Sorry, but I am marking this as an answer because I think its more appropriate. I hope its alright! :) – Pervy Sage Oct 01 '14 at 19:59
-
@PervySage why would it not be? This answer is better than mine! ;) – Steve Dodier-Lazaro Oct 01 '14 at 20:05
5
CSS rules can actually contain JS code (supported by at least some browsers), so from that perspective CSS can be "as bad as" JS.
This SO answer might be helpful if you want more detail. https://stackoverflow.com/a/482088
1
There are two different types of issues with untrusted data:
- It can contain malicious code to be executed directly (malware)
- It can be crafted in such a way that it will cause your legitimate applications to behave erratically (exploit) and perform something bad (payload)
JavaScript really is in the first category. When browser or PDF writer vendors (or any other software vendors who use JS) don't pay enough attention as to what their JavaScript engine allows attackers to do, JavaScript code can be written to hurt your system. For instance XML External Entity attacks use the XML specification in JavaScript code to reach files they're not allowed to touch.
CSS files do not naturally contain code, but as cloudfeet pointed out a rogue CSS file can trigger your browser into loading and executing external files containing scripts. This means a CSS file could be used to trigger JavaScript executions (but if a browser extension that blocks scripts was installed, it would probably block such scripts as well).
Besides this, "static" files that do not contain code can hurt a browser by containing (carefully chosen) bogus data that exploits the existence of a bug or a mistake (called vulnerability) in the browser. The way in which the browser will fail to process this bogus data will cause it to perform actions that the attacker is looking for. For instance, it might redirect the execution of the browser's code to some segment of the CSS file that contains machine instructions, instead of the normal browser code.
This sounds unlikely but actually a lot of attacks belong to this category. For instance JPEG and PNG libraries are occasionally targeted, because they are low-level code that is very widely used (by browsers and also other programs like your OS). Often, browsers will create specific processes with stripped down privileges for parsing files and rendering Web pages to reduce the risk associated with running such code.
The bad news is you can't do anything at all about this and are constantly exposed to danger on the Web. Your only help is to keep all your software up to date to reduce the attack surface.
Steve Dodier-Lazaro
- 6,798
- 29
- 45
-
This answer starts out excellent, but then is missing some relevant information about web browsers. I suggest you read the StackOverflow answers that cloudfeet linked to. You mentioned that you didn't understand what those answers are referring to; as a result, it looks to me like your analysis is incorrect or incomplete. Some (mostly older) browsers do indeed allow you to put Javascript in CSS files, and the browser will automatically execute the Javascript -- so your analysis in the last two paragraphs is based on a faulty premise. This means CSS *can* potentially be of the first type. – D.W. Oct 01 '14 at 21:30
-
I (incorrectly) assumed that the OP was not very familiar with infosec terminology (upon reading his/her question too quickly) and so kept the discussion high-level and rather simplistic. To be honest I'm probably going to delete this answer, the others are way more on-topic. – Steve Dodier-Lazaro Oct 01 '14 at 21:35
-
-
I think the answer has value -- I wouldn't delete it -- I'd just suggest editing the latter two paragraphs to reflect that in some browsers, CSS can contain JS that the browser will execute. You set up a very nice framework for thinking about this question in your first two paragraphs. – D.W. Oct 01 '14 at 21:41
-