π¨ CSS Injection on GitHub: What Happened and How to Stay Safe π¨
Hey Dev.to community! π
I wanted to bring your attention to a recent security issue involving CSS injection on GitHub. This incident has been a hot topic and underscores the importance of staying vigilant with web security. Let's break down what happened, the implications, and how we can protect our projects from such vulnerabilities.
What Happened? π΅οΈββοΈ
Recently, a CSS injection vulnerability was discovered on GitHub profiles. This type of attack allows malicious users to inject unauthorized CSS code into web pages, potentially altering their appearance and behavior in harmful ways. Steve Matindi wrote an insightful article on Medium titled "CSS Injection on GitHub Profiles: From Unicode Exploits to New Bypass Techniques", where he explained how these exploits work and detailed both old and new methods attackers have used.
The Original Exploit: Unicode Command Injection
Initially, attackers found a way to inject CSS styles using LaTeX math mode with the \unicode command. Hereβs an example of the code used:
$$\ce{$\unicode[goombafont; color:red; pointer-events: none; z-index: 100; position: fixed; top: 0; left: 0; height: 100vh; object-fit: cover; background-size: cover; width: 100vw; opacity: 1.0; background: url('https://github.com/stevemats/stong/blob/master/Rotating_cube_SMIL.svg?raw=true');]{x0000}$}$$
This code injected styles that altered the appearance of a profile page by placing an image as the background and applying various CSS properties.
GitHubβs Response: Blocking the Unicode Command
To counter this exploit, GitHub blocked the \unicode command in LaTeX math mode. Users trying to use this command now see an error message: "The following macros are not allowed: \unicode."
A New Bypass Technique: HTML Character Encoding
Despite GitHub's efforts, attackers found a new way to bypass the filter using HTML character encoding. Hereβs an example of the updated exploit:
$$\ce{$\unicode[goombafont; color:red; pointer-events: none; z-index: -10; position: fixed; top: 0; left: 0; height: 100vh; object-fit: cover; background-size: cover; width: 130vw; opacity: 0.5; background: url('https://user-images.githubusercontent.com/30528167/92789817-e4b53d80-f3b3-11ea-96a4-dad3ea09d237.png?raw=true');]{x0000}$}$$
How It Works
-
HTML Character Encoding: The sequence
\is the HTML entity for the backslash (\). This encoding helps avoid directly writing the\unicodecommand, which GitHubβs filter blocks. -
LaTeX Math Mode: The code remains enclosed within LaTeX math mode markers (
$$...$$), allowing LaTeX commands. -
Chemical Equation (
\ce) Environment: The\cecommand acts as a wrapper, potentially disguising the intent of the code. -
Unicode Command Injection: When decoded, the
\entity is interpreted as a backslash, executing the\unicodecommand with the specified CSS properties.
Why This Bypass Works
-
Encoding Trick: By using
\, the command is hidden from the filter that blocks\unicode. - Command Interpretation: Once rendered, the encoded character is interpreted correctly, executing the command.
GitHub's Continued Efforts
GitHub is actively addressing this new method by further tightening their filters and enhancing their security measures. These steps are crucial for several reasons:
- Security Risks: Arbitrary CSS injection poses significant security vulnerabilities, including phishing risks.
- Site Integrity: CSS injection can disrupt the site's consistent appearance and functionality.
- Abuse Prevention: Restrictions are necessary to prevent malicious actors from exploiting CSS injection for harmful activities.
- User Experience: Excessive styles can lead to poor user experiences, making profiles unusable or visually overwhelming.
Protecting Your Projects π§
As developers, we must be proactive in safeguarding our projects against CSS injection and other security threats. Here are some best practices:
- Sanitize and Validate User Inputs: Always ensure user inputs are sanitized and validated before processing or rendering them.
- Implement Content Security Policies (CSP): Use CSP headers to restrict the sources from which CSS and other resources can be loaded.
- Conduct Regular Security Audits: Regularly audit your code and conduct security reviews to identify and fix vulnerabilities.
- Stay Informed: Keep up with the latest security trends and updates.
Resources π
To dive deeper into CSS injection and prevention techniques, check out these resources:
- Security Boulevard: CSS Injection Prevention Guide
- OWASP: Cross-Site Scripting (XSS)
- MDN Web Docs: Content Security Policy (CSP)
Conclusion
Security vulnerabilities like CSS injection are a stark reminder of the ever-present threats in web development. By adopting best practices and staying vigilant, we can protect our projects and users from malicious attacks. Letβs all stay safe and keep coding securely! πͺβ¨
Feel free to share your thoughts and additional tips in the comments. Happy coding! π©βπ»π¨βπ»
References:
I hope this helps! If you have any further details or specific questions about the vulnerability, feel free to ask. π
Tweets
Top comments (3)
Wow... so it's fixed now?
Yep
Thanks for sharing this!
Antonio, CEO & Founder at Litlyx
Some comments may only be visible to logged-in visitors. Sign in to view all comments.