Exploring security vulnerabilities that are introduced in Cascading Style Sheets

Cascading Style Sheets (CSS) are applied directly to Hypertext Markup Language (HTML) in order to apply Web page style. The style changes to Web pages are simplified and applied quickly by using external style sheets or by using embedded or inline style declarations. Style declarations work directly with HTML tags and malicious scripts can be applied to HTML. This study was initiated to determine if CSS was vulnerable to malicious scripting. Employing qualitative research, two case studies were applied using Microsoft security bulletins to identify security vulnerabilities pertaining to CSS cross-domain disclosure and memory corruption. The study also identified methods for improving Web site security. Vulnerabilities to malicious scripting were confirmed in CSS as was the fact that CSS hacks did not improve Web page security. It is recommended that users and developers need to be aware of security intrusions that occur using Web page links or through access to any content or object located on a Web page. Users, developers, and network administrators are encouraged to implement and apply security precautions. Future research could include examination of source code pertaining to Web-based application security.