0

Scenario goes like this: Main parts of web site is on one server. All traffic goes over https. I have no control ovet this server.

Themes use css files and images from another server. Also over https. I have full control over this server.

How vulnerable is the main site (how and why) if css files and images would go over http? I am asking only about css and images.

I don't know how relevant is, but server is Apache and language is PHP.

---------------- edit ------------
So far, there is 'a man in the middle' attack who can change css and thus hide my content, introduce new images and add more text.
But can not create live links, or add js...

Here is a good discussion about this topic started by symcbean.

Community
  • 1
  • 1
CoR
  • 3,826
  • 5
  • 35
  • 42
  • Vulnerable against what? – PeeHaa Nov 04 '15 at 11:18
  • Also people will get errors when doing that because of unsafe resources – PeeHaa Nov 04 '15 at 11:21
  • I think this question fits better at http://security.stackexchange.com/ – Ivar Nov 04 '15 at 11:21
  • @PeeHaa: Good question but I have no clear answer. Simply because I don't know what security holes it can create (if any). – CoR Nov 04 '15 at 11:22
  • 2
    There's already a discussion on the topis at security.stackexchange: http://security.stackexchange.com/questions/37832/css-based-attacks – symcbean Nov 04 '15 at 12:20
  • @symcbean The best part of this question is when you ask this question on security.stackexchange, you get +23. But if you ask the same question here, you get -2. :D – CoR Nov 28 '15 at 15:19

2 Answers2

3

Any unencrypted HTTP connection can potentially be intercepted and modified by men-in-the-middle. That means, any resource you're retrieving via an HTTP connection is untrustworthy; it cannot be confirmed whether it's the original resource as intended. That means an attacker may be able to include resources in your page which you did not intend to include.

In the case of CSS files content can be altered on your site (display: none, content: "Please go to example.com and enter your password"), in the case of images exploits may be introduced (through buggy image decoding client-side), in the case of Javascript entirely arbitrary behaviour may be injected (e.g. sending all key-strokes to a 3rd party server).

deceze
  • 510,633
  • 85
  • 743
  • 889
  • changing src of css in the browser doesn't become vulnerable really. – Bhojendra Rauniyar Nov 04 '15 at 11:23
  • No but the content is... @BhojendraNepal – PeeHaa Nov 04 '15 at 11:23
  • @Bhojendra You can hide content and introduce new content using CSS. This can be used for anything from misdirection to social engineering. – deceze Nov 04 '15 at 11:24
  • 1
    You can or cannot accept all you want, but this answer is perfectly correct on every point – PeeHaa Nov 04 '15 at 11:26
  • 1
    @Bhojendra You do not seem to realise how powerful CSS can be for altering content, and what security implementations this *may* curtail. – deceze Nov 04 '15 at 11:26
  • @deceze you're right. I've no idea of css to make website vulnerable. – Bhojendra Rauniyar Nov 04 '15 at 11:28
  • @Bhojendra I've added a whiff of an example to my answer. You can use that to introduce the stupidest social engineering tricks, and people *will* fall for it. – deceze Nov 04 '15 at 11:29
  • 1
    @CoR Examples always depend on specifics. It should be enough that it's *theoretically* possible to do **something you do not intend to be done** on your site. Someone somewhere someday will develop this theoretical security hole into a practical exploit. You simply do not dismiss obvious entry points as harmless because *you* can't think of a concrete exploit right now. – deceze Nov 04 '15 at 11:33
  • @deceze Cool. So for now css content can only add new text? It can not be used to create live link, or insert js tags. – CoR Nov 04 '15 at 11:51
  • @CoR Not that I'd know off the top of my head, but leave it for someone malicious to find interesting new features in CSS... – deceze Nov 04 '15 at 12:13
  • Right, it can only add text. However, if that text may be able to overlap customer service phone for example. Security threats are also open doors for scams due a mix of several factors like technical opportunity and social engineering for example. – vtortola Nov 04 '15 at 14:57
0

A third party may modify those CSS or images to convey different things, either by tampering that data on the fly, or by spoofing the target. The browser would not know if is getting those from a reliable source, and probably would complain about mixed content issues. CSS3 has many features that may bring pictures from another domain or include unintended content.

vtortola
  • 34,709
  • 29
  • 161
  • 263