Evil CSS injection bug warning: Don't let hackers cross paths with your website

  • 20 February 2015
  • 0 replies
  • 719 views

Userlevel 7
Badge +54

Say hello to a fascinating vulnerability in web scripts

  20 Feb 2015 at 10:31, John Leyden Developers should check their websites for path-relative stylesheet import (PRSSI) vulnerabilities, which can allow miscreants to hijack web pages and steal login cookies, security researchers have urged. PortSwigger, though, is unaware of crooks exploiting PRSSIs in the wild. To stop bad guys and girls exploiting CSS paths, developers are urged to:
  • Avoid using path-relative links
  • Set the server header X-Frame-Options to "deny" on all pages
  • Set the server header X-Content-Type-Options to "nosniff" on all pages
  • Set a modern doctype on all pages
Full Article

0 replies

Be the first to reply!

Reply