Follow us on Twitter!
Become the change you seek in the world. - Gandhi
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 42
Guests Online: 37
Members Online: 5

Registered Members: 82839
Newest Member: fezphantom
Latest Articles

CSS XSS

Arrow Image An explanation of a new XSS assault vector. Only useful for IE and semi useful against Konqueror



It is infact possible to execute an xss vulnerability using CSS. I was reading a few whitepapers yesterday and I came across something interesting about CSS. Microsoft\'s IE actually will allow javascripts to be executed within the style sheet if you use the expres<i></i>sion() function.
Example:
Code

test {
width = expres<i></i>sion(100 + \"px\");
}





Now, the interesting thing here is that you don\'t use any of the conventional injects. No Tags, No escapes. Just text.
Code

test {
width = expres<i></i>sion(alert(1));





Interesting... now... how to use this?
Many BB\'s allow the color tag to set color. Some filter the inputs to make sure it is a color or such, however; there are exploitable ones out there.


I\'ve also found that this vulnerability will crash Konqueror (atleast on my box and my mate\'s box).

So I suppose here is a new attack vector for XSS\'s. Not really to attack a .css file, though you could use it if you got write permissions. a sneaky place to hide your cookie stealer,
but rather more for inline assaults bypassing BB code filters and such.

Enjoy. :D

Comments

midoon September 10 2007 - 18:25:45
Like [color = red; //xss]...
kirk_halo1994on September 10 2007 - 20:45:56
Wow nice find. That's the last place I'd try to put some Javascript <_<
only_samuraion September 11 2007 - 02:13:47
Grin enjoy my friends
richohealeyon September 11 2007 - 10:01:19
hahaha... actually it didn't just crash Konquerer, it fucked KDE right in the butthole.
only_samuraion September 11 2007 - 12:00:47
oh, my bad... still... did damage. Grin Grin Grin and that's the goal. lmfao
midoon September 11 2007 - 18:44:58
But, thats not new!
Flaming_figureson September 11 2007 - 20:02:52
I haven't heard of it, but there aint another article on this site so that's what matters Pfft lol, I lolled when I saw this cuz I used web developer to inject a new button. They allowed you to change but didn't show you the tags, so I made a button... I learned it used css Pfft
spywareon September 11 2007 - 22:33:28
@Mido, "I was reading a few whitepapers yesterday and I came across something interesting about CSS"
only_samuraion September 12 2007 - 03:36:50
thanks spyware....yea.. im just posting it for everyone that doesnt spend hours reading whitepapers. lol
midoon September 12 2007 - 07:29:06
Nice article generally.
YndiHaldaon September 13 2007 - 01:34:07
I emailed this direct to samurai but thought i post here as well JIC hes not around..cant seem to get this exploit to work at all [color=red; .test{width = expression(alert(1));]test[/color] this translates in html to <font color="red; .test{width = expression(alert(1));">test</font> but css just doesnt work? i have element in the dom with class text, so its like the css just doesnt get parsed if i do this: <font color="red" style=".test{width = expression(alert(1));">test</font> thus breaking out of color attribute and into style, the css is render and i get the popup, but ofc in any bb it has htmlentities so no double quotes... any ideas would be appreciated!
only_samuraion September 13 2007 - 22:48:15
you're doing the inline wrong <font color='red' style='width: expression(alert(1))'> the color tag is wrong for the same reason. also, remember this only works on IE .... i dont mean the exploit. i mean expression... expression() is only a IE feature
YndiHaldaon September 14 2007 - 04:01:38
I understand now, the problem is most ppl use double quotes for attributes (color="xx"Wink so using single quote to break into style attribute does not work, and 99% ppl also entitize double quotes...its nice just not that practical I wonder if there are any methods to work around htmlentities so you can use <>" etc...
only_samuraion September 14 2007 - 17:37:34
say what? it doesnt matter if they use ' or " it woks the same.... i have a feeling you DONT know CSS and DONT understand how this works
YndiHaldaon September 14 2007 - 18:02:31
Ok, I didn't know single quotes broke out of attributes which use double quotes (not sure why) The site Im trying it on is not checking it's an actual colour, but it is I think doing a trim() and if I do for example google.com' title='lol' it outputs google.com' title='lol' and it doesnt break from the href, i experimented with encoding the space etc. but no luck so far, any bright ideas?
spywareon September 14 2007 - 18:39:57
I've got a bright idea, read the article properly.
only_samuraion September 15 2007 - 00:50:17
yeah... the problem is that you dont fully understand what is happening here. read some on CSS....
YndiHaldaon September 15 2007 - 16:06:21
Read some on CSS is a bit vague...what should I be reading about. What is happening here then? Because the only other thing I can think of is you are embedding flat CSS into a colour tag which 99% would filter
YndiHaldaon September 15 2007 - 16:23:58
Hmm, just wondering - is it because some forums use style="color:xxx" so all you'd have to do is provide it with the expression...
YndiHaldaon September 15 2007 - 16:28:24
Yeh I see now, it's simple I just never come across any application that uses the style attribute before which is why I was thinking you had to break out of the color attribute for example, now I seen SMF uses style for colors and sizes I understand it
3l_f3n1xon September 16 2007 - 18:14:34
Great article... I'd never thought that was possible. Thanks for share your knoledge Grin
Zephyr_Pureon October 09 2007 - 22:13:00
Nice article... especially the part about the expression() function.
only_samuraion January 18 2008 - 17:48:05
LOL, 'the part about the expression() function' that was kinda the point of the article Grin
sharpskater80on May 01 2008 - 22:35:32
this is good, thanks for sharing
Syntaxeon May 17 2008 - 23:08:52
amazing article, did it on first try after reading this
sam207on September 21 2008 - 11:47:42
oh so good one.. thanks.. thanks for sharing..
fashizzlepopon January 20 2009 - 06:19:02
This is pretty cool. Unfortunately it is a COMPLETE spoiler for one of the basics. Just a quick copy and paste, no need to change anything.
system_meltdownon March 03 2009 - 10:09:16
Lol, I pwn'd my school's wiki with this Smile <p style="width:expression(alert(/owned/))"> har har har Smile
ShadyTyranton April 13 2009 - 07:15:48
Great article, helped me allot and expanded my mind on XSS.
kingasmkon May 28 2011 - 11:04:18
it's a great article and explanation thanks you Grin
DonMilanoon April 09 2012 - 16:02:39
:ninja:
t0xikd0son December 28 2012 - 22:57:16
Very interesting. I was led here from this page, and I don't have even the vaguest idea how to apply it when that challenge removes 'script' as well as 'expression'
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.