Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

CSS XSS


CSS XSS

By ghostghost | 12288 Reads |
0     0

It is infact possible to execute an xss vulnerability using CSS. I was reading a few whitepapers yesterday and I came across something interesting about CSS. Microsoft\'s IE actually will allow javascripts to be executed within the style sheet if you use the expres<i></i>sion() function. Example:

test {
width = expres&lt;i&gt;&lt;/i&gt;sion(100 + &#92;&quot;px&#92;&quot;);
}

Now, the interesting thing here is that you don\'t use any of the conventional injects. No Tags, No escapes. Just text.

test {
width = expres&lt;i&gt;&lt;/i&gt;sion(alert(1));

Interesting… now… how to use this? Many BB\'s allow the color tag to set color. Some filter the inputs to make sure it is a color or such, however; there are exploitable ones out there.

I\'ve also found that this vulnerability will crash Konqueror (atleast on my box and my mate\'s box).

So I suppose here is a new attack vector for XSS\'s. Not really to attack a .css file, though you could use it if you got write permissions. a sneaky place to hide your cookie stealer, but rather more for inline assaults bypassing BB code filters and such.

Enjoy. :D

Comments
mido's avatar
mido 17 years ago

Like [color = red; //xss]…

ghost's avatar
ghost 17 years ago

Wow nice find. That's the last place I'd try to put some Javascript <_<

ghost's avatar
ghost 17 years ago

:D enjoy my friends

richohealey's avatar
richohealey 17 years ago

hahaha… actually it didn't just crash Konquerer, it fucked KDE right in the butthole.

ghost's avatar
ghost 17 years ago

oh, my bad… still… did damage. :D :D :D and that's the goal. lmfao

mido's avatar
mido 17 years ago

But, thats not new!

Flaming_figures's avatar
Flaming_figures 17 years ago

I haven't heard of it, but there aint another article on this site so that's what matters :P lol, I lolled when I saw this cuz I used web developer to inject a new button. They allowed you to change but didn't show you the tags, so I made a button… I learned it used css :P

spyware's avatar
spyware 17 years ago

@Mido, "I was reading a few whitepapers yesterday and I came across something interesting about CSS"

ghost's avatar
ghost 17 years ago

thanks spyware….yea.. im just posting it for everyone that doesnt spend hours reading whitepapers. lol

mido's avatar
mido 17 years ago

Nice article generally.

ghost's avatar
ghost 17 years ago

I emailed this direct to samurai but thought i post here as well JIC hes not around..cant seem to get this exploit to work at all

[color=red; .test{width = expression(alert(1));]test[/color]

this translates in html to

<font color="red; .test{width = expression(alert(1));">test</font>

but css just doesnt work? i have element in the dom with class text, so its like the css just doesnt get parsed

if i do this: <font color="red" style=".test{width = expression(alert(1));">test</font>

thus breaking out of color attribute and into style, the css is render and i get the popup, but ofc in any bb it has htmlentities so no double quotes…

any ideas would be appreciated!

ghost's avatar
ghost 17 years ago

you're doing the inline wrong <font color='red' style='width: expression(alert(1))'> the color tag is wrong for the same reason. also, remember this only works on IE …. i dont mean the exploit. i mean expression… expression() is only a IE feature

ghost's avatar
ghost 17 years ago

I understand now, the problem is most ppl use double quotes for attributes (color="xx") so using single quote to break into style attribute does not work, and 99% ppl also entitize double quotes…its nice just not that practical

I wonder if there are any methods to work around htmlentities so you can use <>" etc…

ghost's avatar
ghost 17 years ago

say what? it doesnt matter if they use ' or " it woks the same…. i have a feeling you DONT know CSS and DONT understand how this works

ghost's avatar
ghost 17 years ago

Ok, I didn't know single quotes broke out of attributes which use double quotes (not sure why)

The site Im trying it on is not checking it's an actual colour, but it is I think doing a trim() and if I do for example google.com' title='lol' it outputs google.com' title='lol' and it doesnt break from the href, i experimented with encoding the space etc. but no luck so far, any bright ideas?

spyware's avatar
spyware 17 years ago

I've got a bright idea, read the article properly.

ghost's avatar
ghost 17 years ago

yeah… the problem is that you dont fully understand what is happening here. read some on CSS….

ghost's avatar
ghost 17 years ago

Read some on CSS is a bit vague…what should I be reading about.

What is happening here then? Because the only other thing I can think of is you are embedding flat CSS into a colour tag which 99% would filter

ghost's avatar
ghost 17 years ago

Hmm, just wondering - is it because some forums use style="color:xxx" so all you'd have to do is provide it with the expression…

ghost's avatar
ghost 17 years ago

Yeh I see now, it's simple I just never come across any application that uses the style attribute before which is why I was thinking you had to break out of the color attribute for example, now I seen SMF uses style for colors and sizes I understand it