Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

CSS XSS


CSS XSS

By ghostghost | 12289 Reads |
0     0

It is infact possible to execute an xss vulnerability using CSS. I was reading a few whitepapers yesterday and I came across something interesting about CSS. Microsoft\'s IE actually will allow javascripts to be executed within the style sheet if you use the expres<i></i>sion() function. Example:

test {
width = expres&lt;i&gt;&lt;/i&gt;sion(100 + &#92;&quot;px&#92;&quot;);
}

Now, the interesting thing here is that you don\'t use any of the conventional injects. No Tags, No escapes. Just text.

test {
width = expres&lt;i&gt;&lt;/i&gt;sion(alert(1));

Interesting… now… how to use this? Many BB\'s allow the color tag to set color. Some filter the inputs to make sure it is a color or such, however; there are exploitable ones out there.

I\'ve also found that this vulnerability will crash Konqueror (atleast on my box and my mate\'s box).

So I suppose here is a new attack vector for XSS\'s. Not really to attack a .css file, though you could use it if you got write permissions. a sneaky place to hide your cookie stealer, but rather more for inline assaults bypassing BB code filters and such.

Enjoy. :D

Comments
ghost's avatar
ghost 17 years ago

Great article… I'd never thought that was possible. Thanks for share your knoledge :D

ghost's avatar
ghost 17 years ago

Nice article… especially the part about the expression() function.

ghost's avatar
ghost 16 years ago

LOL, 'the part about the expression() function' that was kinda the point of the article :D

ghost's avatar
ghost 16 years ago

this is good, thanks for sharing

ghost's avatar
ghost 16 years ago

amazing article, did it on first try after reading this

sam207's avatar
sam207 16 years ago

oh so good one.. thanks.. thanks for sharing..

fashizzlepop's avatar
fashizzlepop 15 years ago

This is pretty cool. Unfortunately it is a COMPLETE spoiler for one of the basics. Just a quick copy and paste, no need to change anything.

SySTeM's avatar
SySTeM 15 years ago

Lol, I pwn'd my school's wiki with this :) <p style="width:expression(alert(/owned/))"> har har har :)

ghost's avatar
ghost 15 years ago

Great article, helped me allot and expanded my mind on XSS.

kingasmk's avatar
kingasmk 13 years ago

it's a great article and explanation thanks you :D

DonMilano's avatar
DonMilano 12 years ago

:ninja:

t0xikd0s's avatar
t0xikd0s 11 years ago

Very interesting. I was led here from this page, and I don't have even the vaguest idea how to apply it when that challenge removes 'script' as well as 'expression'