CSS XSS
CSS XSS
ghost | 12268 Reads | It is infact possible to execute an xss vulnerability using CSS. I was reading a few whitepapers yesterday and I came across something interesting about CSS. Microsoft\'s IE actually will allow javascripts to be executed within the style sheet if you use the expres<i></i>sion() function. Example:
test {
width = expres<i></i>sion(100 + \"px\");
}
Now, the interesting thing here is that you don\'t use any of the conventional injects. No Tags, No escapes. Just text.
test {
width = expres<i></i>sion(alert(1));
Interesting… now… how to use this? Many BB\'s allow the color tag to set color. Some filter the inputs to make sure it is a color or such, however; there are exploitable ones out there.
I\'ve also found that this vulnerability will crash Konqueror (atleast on my box and my mate\'s box).
So I suppose here is a new attack vector for XSS\'s. Not really to attack a .css file, though you could use it if you got write permissions. a sneaky place to hide your cookie stealer, but rather more for inline assaults bypassing BB code filters and such.
Enjoy. :D
ghost 17 years ago
Great article… I'd never thought that was possible. Thanks for share your knoledge :D
ghost 16 years ago
LOL, 'the part about the expression() function' that was kinda the point of the article :D
fashizzlepop 15 years ago
This is pretty cool. Unfortunately it is a COMPLETE spoiler for one of the basics. Just a quick copy and paste, no need to change anything.
SySTeM 15 years ago
Lol, I pwn'd my school's wiki with this :) <p style="width:expression(alert(/owned/))"> har har har :)