- security News Forums
- > Swindlers using new CSS method attack eB...
- > CSS Encoding can help
Posting 
CSS Encoding can help 09 March 2009 16:42
Encoding CSS while using XHTML will certainly help protect against
these kinds of attacks.
An input validation model using an open-source, third-party component
called OWASP AntiSamy is probably one of the only defenses for code
coming into this "presentation/stylesheet" layer (or the related
content and behavior layers. However, note that code doesn't come
only over the HTTP layer, which appears to be the source of this
problem that you describe.
Check out http://i8jesus.com/?p=10 or the Addison-Wesley book title
"Ajax Security", especially Chapter 12 on "Attacking the Presentation
Layer".
These presentation-layer attacks do not only apply to eBay. One
thing that I learned about these sorts of attacks is that web
application firewalls (WAF's) do not help to prevent these types of
attacks today, even using a whitelist model.
- Threaded View
- Flat View
