CSS XSS
CSS XSS
It is infact possible to execute an xss vulnerability using CSS. I was reading a few whitepapers yesterday and I came across something interesting about CSS. Microsoft\'s IE actually will allow javascripts to be executed within the style sheet if you use the expres<i></i>sion() function. Example:
test {
width = expres<i></i>sion(100 + \"px\");
}
Now, the interesting thing here is that you don\'t use any of the conventional injects. No Tags, No escapes. Just text.
test {
width = expres<i></i>sion(alert(1));
Interesting… now… how to use this? Many BB\'s allow the color tag to set color. Some filter the inputs to make sure it is a color or such, however; there are exploitable ones out there.
I\'ve also found that this vulnerability will crash Konqueror (atleast on my box and my mate\'s box).
So I suppose here is a new attack vector for XSS\'s. Not really to attack a .css file, though you could use it if you got write permissions. a sneaky place to hide your cookie stealer, but rather more for inline assaults bypassing BB code filters and such.
Enjoy. :D
richohealey 17 years ago
hahaha… actually it didn't just crash Konquerer, it fucked KDE right in the butthole.
Flaming_figures 17 years ago
I haven't heard of it, but there aint another article on this site so that's what matters :P lol, I lolled when I saw this cuz I used web developer to inject a new button. They allowed you to change but didn't show you the tags, so I made a button… I learned it used css :P
ghost 17 years ago
thanks spyware….yea.. im just posting it for everyone that doesnt spend hours reading whitepapers. lol
ghost 17 years ago
I emailed this direct to samurai but thought i post here as well JIC hes not around..cant seem to get this exploit to work at all
[color=red; .test{width = expression(alert(1));]test[/color]
this translates in html to
<font color="red; .test{width = expression(alert(1));">test</font>
but css just doesnt work? i have element in the dom with class text, so its like the css just doesnt get parsed
if i do this: <font color="red" style=".test{width = expression(alert(1));">test</font>
thus breaking out of color attribute and into style, the css is render and i get the popup, but ofc in any bb it has htmlentities so no double quotes…
any ideas would be appreciated!
ghost 17 years ago
you're doing the inline wrong <font color='red' style='width: expression(alert(1))'> the color tag is wrong for the same reason. also, remember this only works on IE …. i dont mean the exploit. i mean expression… expression() is only a IE feature
ghost 17 years ago
I understand now, the problem is most ppl use double quotes for attributes (color="xx") so using single quote to break into style attribute does not work, and 99% ppl also entitize double quotes…its nice just not that practical
I wonder if there are any methods to work around htmlentities so you can use <>" etc…
ghost 17 years ago
say what? it doesnt matter if they use ' or " it woks the same…. i have a feeling you DONT know CSS and DONT understand how this works
ghost 17 years ago
Ok, I didn't know single quotes broke out of attributes which use double quotes (not sure why)
The site Im trying it on is not checking it's an actual colour, but it is I think doing a trim() and if I do for example google.com' title='lol' it outputs google.com' title='lol' and it doesnt break from the href, i experimented with encoding the space etc. but no luck so far, any bright ideas?
ghost 17 years ago
yeah… the problem is that you dont fully understand what is happening here. read some on CSS….
ghost 17 years ago
Read some on CSS is a bit vague…what should I be reading about.
What is happening here then? Because the only other thing I can think of is you are embedding flat CSS into a colour tag which 99% would filter
ghost 17 years ago
Hmm, just wondering - is it because some forums use style="color:xxx" so all you'd have to do is provide it with the expression…
ghost 17 years ago
Yeh I see now, it's simple I just never come across any application that uses the style attribute before which is why I was thinking you had to break out of the color attribute for example, now I seen SMF uses style for colors and sizes I understand it