[Home]CSS Security

HomePage | RecentChanges | Preferences | Newbie Help

Category CSS FAQ

XML: Unexpected security holes

 David Megginson, of Megginson Technologies, gave an amusing
 yet ultimately serious talk on XML's potential vulnerability
 to content vandalism by even unsophisticated hackers. The
 problems mostly stem from the ability to reference remote
 stylesheets in a document. A highly secure industrial system
 might reference a large stylesheet on a relatively insecure
 campus computer, for example. 

 A cracker could then modify that stylesheet in ways that
 changed the perceived content of the page. Megginson used
 some amusing examples to demonstrate the potential results
 of such an attack. He showed that a bolded "not" in a
 sentence could be changed to match the background, making it
 disappear. (If "not" came at the end of a line, it's
 disappearance might not be noticed, drastically changing the
 sentence's meaning.) In another example, Megginson showed
 how the ability to add decorations to a line in a stylesheet
 would make it possible to add the words "BIG LIE:" to the
 beginning of a list item. 

 The bottom line for industry: most potential stylesheet
 security problems can be avoided by copying stylesheets to a
 secure local area and referencing them there. That might not
 be the ideal answer, but it is a highly effective,
 relatively low-cost solution that is likely to be the norm
 for years to come. 

From http://www.javaworld.com/jw-03-2000/jw-03-xmlshow.html. Also see:


Other CSS security issues


Comments?


HomePage | RecentChanges | Preferences | Newbie Help
This page is read-only | View other revisions
Last edited November 17, 2001 8:50 am (diff)
Search:

This FAQ is happily hosted by Betadome Digital Media