🚨 CSS Injection on GitHub: What Happened and How to Stay Safe 🚨

Sh Raj - Jun 8 - - Dev Community

🚨 CSS Injection on GitHub: What Happened and How to Stay Safe 🚨

Hey Dev.to community! 🌟

I wanted to bring your attention to a recent security issue involving CSS injection on GitHub. This incident has been a hot topic and underscores the importance of staying vigilant with web security. Let's break down what happened, the implications, and how we can protect our projects from such vulnerabilities.

What Happened? πŸ•΅οΈβ€β™‚οΈ

Recently, a CSS injection vulnerability was discovered on GitHub profiles. This type of attack allows malicious users to inject unauthorized CSS code into web pages, potentially altering their appearance and behavior in harmful ways. Steve Matindi wrote an insightful article on Medium titled "CSS Injection on GitHub Profiles: From Unicode Exploits to New Bypass Techniques", where he explained how these exploits work and detailed both old and new methods attackers have used.

The Original Exploit: Unicode Command Injection

Initially, attackers found a way to inject CSS styles using LaTeX math mode with the \unicode command. Here’s an example of the code used:

$$\ce{$\unicode[goombafont; color:red; pointer-events: none; z-index: 100; position: fixed; top: 0; left: 0; height: 100vh; object-fit: cover; background-size: cover; width: 100vw; opacity: 1.0; background: url('https://github.com/stevemats/stong/blob/master/Rotating_cube_SMIL.svg?raw=true');]{x0000}$}$$
Enter fullscreen mode Exit fullscreen mode

This code injected styles that altered the appearance of a profile page by placing an image as the background and applying various CSS properties.

GitHub’s Response: Blocking the Unicode Command

To counter this exploit, GitHub blocked the \unicode command in LaTeX math mode. Users trying to use this command now see an error message: "The following macros are not allowed: \unicode."

A New Bypass Technique: HTML Character Encoding

Despite GitHub's efforts, attackers found a new way to bypass the filter using HTML character encoding. Here’s an example of the updated exploit:

$$\ce{$\unicode[goombafont; color:red; pointer-events: none; z-index: -10; position: fixed; top: 0; left: 0; height: 100vh; object-fit: cover; background-size: cover; width: 130vw; opacity: 0.5; background: url('https://user-images.githubusercontent.com/30528167/92789817-e4b53d80-f3b3-11ea-96a4-dad3ea09d237.png?raw=true');]{x0000}$}$$
Enter fullscreen mode Exit fullscreen mode

How It Works

  1. HTML Character Encoding: The sequence \ is the HTML entity for the backslash (\). This encoding helps avoid directly writing the \unicode command, which GitHub’s filter blocks.
  2. LaTeX Math Mode: The code remains enclosed within LaTeX math mode markers ($$...$$), allowing LaTeX commands.
  3. Chemical Equation (\ce) Environment: The \ce command acts as a wrapper, potentially disguising the intent of the code.
  4. Unicode Command Injection: When decoded, the \ entity is interpreted as a backslash, executing the \unicode command with the specified CSS properties.

Why This Bypass Works

  • Encoding Trick: By using \, the command is hidden from the filter that blocks \unicode.
  • Command Interpretation: Once rendered, the encoded character is interpreted correctly, executing the command.

GitHub's Continued Efforts

GitHub is actively addressing this new method by further tightening their filters and enhancing their security measures. These steps are crucial for several reasons:

  • Security Risks: Arbitrary CSS injection poses significant security vulnerabilities, including phishing risks.
  • Site Integrity: CSS injection can disrupt the site's consistent appearance and functionality.
  • Abuse Prevention: Restrictions are necessary to prevent malicious actors from exploiting CSS injection for harmful activities.
  • User Experience: Excessive styles can lead to poor user experiences, making profiles unusable or visually overwhelming.

Protecting Your Projects 🚧

As developers, we must be proactive in safeguarding our projects against CSS injection and other security threats. Here are some best practices:

  1. Sanitize and Validate User Inputs: Always ensure user inputs are sanitized and validated before processing or rendering them.
  2. Implement Content Security Policies (CSP): Use CSP headers to restrict the sources from which CSS and other resources can be loaded.
  3. Conduct Regular Security Audits: Regularly audit your code and conduct security reviews to identify and fix vulnerabilities.
  4. Stay Informed: Keep up with the latest security trends and updates.

Resources πŸ“š

To dive deeper into CSS injection and prevention techniques, check out these resources:

Conclusion

Security vulnerabilities like CSS injection are a stark reminder of the ever-present threats in web development. By adopting best practices and staying vigilant, we can protect our projects and users from malicious attacks. Let’s all stay safe and keep coding securely! πŸ’ͺ✨

Feel free to share your thoughts and additional tips in the comments. Happy coding! πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»


References:


I hope this helps! If you have any further details or specific questions about the vulnerability, feel free to ask. 😊


Tweets

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .