on September 10 2007 - 18:25:45
Like [color = red; //xss]... |
on September 10 2007 - 20:45:56
Wow nice find. That's the last place I'd try to put some Javascblockedript <_< |
on September 11 2007 - 02:13:47
 enjoy my friends |
on September 11 2007 - 10:01:19
hahaha... actually it didn't just crash Konquerer, it fucked KDE right in the butthole. |
on September 11 2007 - 12:00:47
oh, my bad... still... did damage. and that's the goal. lmfao |
on September 11 2007 - 18:44:58
But, thats not new! |
on September 11 2007 - 20:02:52
I haven't heard of it, but there aint another article on this site so that's what matters  lol, I lolled when I saw this cuz I used web developer to inject a new button. They allowed you to change but didn't show you the tags, so I made a button... I learned it used css |
on September 11 2007 - 22:33:28
@Mido, "I was reading a few whitepapers yesterday and I came across something interesting about CSS" |
on September 12 2007 - 03:36:50
thanks spyware....yea.. im just posting it for everyone that doesnt spend hours reading whitepapers. lol |
on September 12 2007 - 07:29:06
Nice article generally. |
on September 13 2007 - 01:34:07
I emailed this direct to samurai but thought i post here as well JIC hes not around..cant seem to get this exploit to work at all
[color=red; .test{width = expresblockedsion(alert(1));]test[/color]
this translates in html to
<font color="red; .test{width = expresblockedsion(alert(1));">test</font>
but css just doesnt work? i have element in the dom with class text, so its like the css just doesnt get parsed
if i do this:
<font color="red" style=".test{width = expresblockedsion(alert(1));">test</font>
thus breaking out of color attribute and into style, the css is render and i get the popup, but ofc in any bb it has htmlentities so no double quotes...
any ideas would be appreciated! |
on September 13 2007 - 22:48:15
you're doing the inline wrong <font color='red' style='width: expresblockedsion(alert(1))'> the color tag is wrong for the same reason. also, remember this only works on IE .... i dont mean the exploit. i mean expresblockedsion... expresblockedsion() is only a IE feature |
on September 14 2007 - 04:01:38
I understand now, the problem is most ppl use double quotes for attributes (color="xx" so using single quote to break into style attribute does not work, and 99% ppl also entitize double quotes...its nice just not that practical
I wonder if there are any methods to work around htmlentities so you can use <>" etc... |
on September 14 2007 - 17:37:34
say what? it doesnt matter if they use ' or " it woks the same.... i have a feeling you DONT know CSS and DONT understand how this works |
on September 14 2007 - 18:02:31
Ok, I didn't know single quotes broke out of attributes which use double quotes (not sure why)
The site Im trying it on is not checking it's an actual colour, but it is I think doing a trim() and if I do for example google.com' title='lol' it outputs google.com' title='lol' and it doesnt break from the href, i experimented with encoding the space etc. but no luck so far, any bright ideas? |
on September 14 2007 - 18:39:57
I've got a bright idea, read the article properly. |
on September 15 2007 - 00:50:17
yeah... the problem is that you dont fully understand what is happening here. read some on CSS.... |
on September 15 2007 - 16:06:21
Read some on CSS is a bit vague...what should I be reading about.
What is happening here then? Because the only other thing I can think of is you are embedding flat CSS into a colour tag which 99% would filter |
on September 15 2007 - 16:23:58
Hmm, just wondering - is it because some forums use style="color:xxx" so all you'd have to do is provide it with the expresblockedsion... |
on September 15 2007 - 16:28:24
Yeh I see now, it's simple I just never come across any application that uses the style attribute before which is why I was thinking you had to break out of the color attribute for example, now I seen SMF uses style for colors and sizes I understand it |
on September 16 2007 - 18:14:34
Great article... I'd never thought that was possible. Thanks for share your knoledge |
on October 09 2007 - 22:13:00
Nice article... especially the part about the expresblockedsion() function. |
on January 18 2008 - 17:48:05
LOL, 'the part about the expresblockedsion() function' that was kinda the point of the article
|
on May 01 2008 - 22:35:32
this is good, thanks for sharing |
on May 17 2008 - 23:08:52
amazing article, did it on first try after reading this |
on September 21 2008 - 11:47:42
oh so good one.. thanks.. thanks for sharing.. |
on January 20 2009 - 06:19:02
This is pretty cool. Unfortunately it is a COMPLETE spoiler for one of the basics. Just a quick copy and paste, no need to change anything. |
on March 03 2009 - 10:09:16
Lol, I pwn'd my school's wiki with this  <p style="width:expresblockedsion(alert(/owned/))"> har har har |
on April 13 2009 - 07:15:48
Great article, helped me allot and expanded my mind on XSS. |
on May 28 2011 - 11:04:18
it's a great article and explanation thanks you |
on April 09 2012 - 16:02:39
 |
Main:
An explanation of a new XSS assault vector. Only useful for IE and semi useful against Konqueror
Posted by 
