Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19186

Path-relative stylesheet import (PRSSI) vulnerability

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • Account - Console
    • NEW
    • NEW

    Description

      GET request to: "auth/"

      Stylesheet imports in question:
      ```
      < link href="resources/4mjgh/common/keycloak/node_modules/patternfly/dist/css/patternfly.css" rel="stylesheet">
      < link href="resources/4mjgh/common/keycloak/node_modules/patternfly/dist/css/patternfly-additions.css" rel="stylesheet">
      < link href="resources/4mjgh/welcome/keycloak/css/welcome.css" rel="stylesheet">
      ```

      Threat
      Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to path-
      relative stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file.

      Impact
      An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including
      cross-site scripting (XSS) and exfiltration of CSRF tokens.

      Solution
      It is recommended to remove relative URLs and use absolute URLs in CSS imports.
      The following alternatives can be applied to avoid PRSSI vulnerabilities.

      • Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/
      • Set response header X-Frame-Options: deny
      • Set response header X-Content-Type-Options: nosniff
      • Define an HTML base tag to specify base URL for all relative URLs in a document.

      Attachments

        Activity

          People

            Unassigned Unassigned
            sebas-1 Sebas Higler (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: