Main:advertisement
An explanation of a new XSS assault vector. Only useful for IE and semi useful against Konqueror
It is infact possible to execute an xss vulnerability using CSS. I was reading a few whitepapers yesterday and I came across something interesting about CSS. Microsoft's IE actually will allow javascripts to be executed within the style sheet if you use the expres<i></i>sion() function.
Example:
test {
width = expres<i></i>sion(100 + "px");
}
Now, the interesting thing here is that you don't use any of the conventional injects. No Tags, No escapes. Just text.
test {
width = expres<i></i>sion(alert(1));
Interesting... now... how to use this?
Many BB's allow the color tag to set color. Some filter the inputs to make sure it is a color or such, however; there are exploitable ones out there.
I've also found that this vulnerability will crash Konqueror (atleast on my box and my mate's box).
So I suppose here is a new attack vector for XSS's. Not really to attack a .css file, though you could use it if you got write permissions. a sneaky place to hide your cookie stealer,
but rather more for inline assaults bypassing BB code filters and such.
Enjoy. :D
Posted by 
