diff options
| author | Claudio B. <claudiob@users.noreply.github.com> | 2015-10-04 10:14:09 -0700 |
|---|---|---|
| committer | Claudio B. <claudiob@users.noreply.github.com> | 2015-10-04 10:14:09 -0700 |
| commit | 5dfc7a90064c4dcb6b4f46616bb05f96e26c941d (patch) | |
| tree | 8d2b2d9f831e7fc458f8a1dd04f956f6dd5d5af4 /guides/source | |
| parent | df9faf53e9cfddd1be9a09811eed1192a3073afc (diff) | |
| parent | 19b626a31a6a09f651b9864244de096a66bb2d52 (diff) | |
| download | rails-5dfc7a90064c4dcb6b4f46616bb05f96e26c941d.tar.gz rails-5dfc7a90064c4dcb6b4f46616bb05f96e26c941d.tar.bz2 rails-5dfc7a90064c4dcb6b4f46616bb05f96e26c941d.zip | |
Merge pull request #21857 from cllns/fix-myspace-example-wording
Update text on CSS Injection
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/security.md | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 5a6ac9446a..9452d4d9a2 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -793,15 +793,13 @@ Another proof-of-concept webmail worm is Nduja, a cross-domain worm for four Ita In December 2006, 34,000 actual user names and passwords were stolen in a [MySpace phishing attack](http://news.netcraft.com/archives/2006/10/27/myspace_accounts_compromised_by_phishers.html). The idea of the attack was to create a profile page named "login_home_index_html", so the URL looked very convincing. Specially-crafted HTML and CSS was used to hide the genuine MySpace content from the page and instead display its own login form. -The MySpace Samy worm will be discussed in the CSS Injection section. - ### CSS Injection INFO: _CSS Injection is actually JavaScript injection, because some browsers (IE, some versions of Safari and others) allow JavaScript in CSS. Think twice about allowing custom CSS in your web application._ -CSS Injection is explained best by a well-known worm, the [MySpace Samy worm](http://namb.la/popular/tech.html). This worm automatically sent a friend request to Samy (the attacker) simply by visiting his profile. Within several hours he had over 1 million friend requests, but it creates too much traffic on MySpace, so that the site goes offline. The following is a technical explanation of the worm. +CSS Injection is explained best by the well-known [MySpace Samy worm](http://namb.la/popular/tech.html). This worm automatically sent a friend request to Samy (the attacker) simply by visiting his profile. Within several hours he had over 1 million friend requests, which created so much traffic that MySpace went offline. The following is a technical explanation of that worm. -MySpace blocks many tags, however it allows CSS. So the worm's author put JavaScript into CSS like this: +MySpace blocked many tags, but allowed CSS. So the worm's author put JavaScript into CSS like this: ```html <div style="background:url('javascript:alert(1)')"> @@ -825,7 +823,7 @@ The next problem was MySpace filtering the word "javascript", so the author used <div id="mycode" expr="alert('hah!')" style="background:url('java↵
script:eval(document.all.mycode.expr)')"> ``` -Another problem for the worm's author were CSRF security tokens. Without them he couldn't send a friend request over POST. He got around it by sending a GET to the page right before adding a user and parsing the result for the CSRF token. +Another problem for the worm's author was the [CSRF security tokens](#cross-site-request-forgery-csrf). Without them he couldn't send a friend request over POST. He got around it by sending a GET to the page right before adding a user and parsing the result for the CSRF token. In the end, he got a 4 KB worm, which he injected into his profile page. |