Yeah ok it’s a mistake, I hadn’t read it anywhere before but forgive me defending myself when I get a lot of negative comments for trying to do things different.

http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0933.html

mistake happens : ) why don’t simply acknowledge? nobody is blaming you here

[fun]ouch, found BXSS! “behavior: url(xss.htc);”, it can be embedded in an external css! [/fun]

Excellent stuff! I’m sure there’s loads more to explore in this area.

@digi7al64

Yeah the acronym might not work but I don’t really care, I just wanted to call my blog post something interesting. Yes you’re right that the delivery of insertRule may be obscure and rare but I liked it and found it interesting and I’m sure not many people are aware of it.

@kuza55

The way I conduct my research is always in a manual manner and rarely do I use cheatsheets or xss proxies etc because of this I sometimes publish things that are already mentioned elsewhere, this is purely an accident and I’m not trying to steal anyone’s work, in future however I’ll check the cheatsheet more throughly.

I feel that this post provides information that is very useful than just using the method listed in the cheatsheet because:-
1. InsertRule method is mentioned and changing the stylesheet dynamically.
2. Assigned MozBinding via a stylesheet has never been explained or mentioned anywhere as far as I know.
3. A live example of the method which demonstrates that allowing external stylesheets are a bad idea.

Why should I have to justify all this though? The cheatsheet doesn’t make every blog post on XSS obsolete.

The Cheat Sheet isn’t exactly some obscure text file which has never been indexed by google. And googling for “-moz-binding” XSS would have gotten you results, hell I linked the the part of the Cheat Sheet which mentioned the issue in a slackers thread which you later replied to.

Anyway, I know that the insertRule thing is obscure, but it really doesn’t help us anywhere, since our main interest in -moz-binding is its uses for XSS, which is pretty useless if we can execute js already. And anyway, is it any better than simply editing the style attribute directly via javascript as most developers do?

But having said that, I don’t want to stop you exploring and innovating, I just thought I ought to mention its not new. So if you have something new, please go ahead, I’m very eager to see people do new things, and as frustrating as it is when someone points out to you that its already been published, you should just take it on board, and publish something new on the same issue to spite me :p

<style>
body:after{
content: “\61\6c\65\72\74\28\31\29″
}
</style>
<script>
eval(eval(document.styleSheets[0].cssRules[0].style.content))
</script>

And while playing I found out that including an URL like http://www.google.com is tolerated by the browser and nodes in the including document even apply the styles coming from http://www.google.com.

<html>
<link rel=”stylesheet” href=”http://www.google.de/” type=”text/css” />
<script>
window.onload = function() {
console.dir(document.styleSheets)
}
</script>
<body class=”h”>
TEST
</body>
</html>

Maybe this has been written about somewhere else but at least it was new to me

Eitherway though (1 & 2) means i have free range with the css and I would probably target something more generic that would affect more browsers other then just firefox.

And with 3 why would I bother using that technique. no offence, but you would be hard pressed to find a site that allows script tags and functions but filters out src etc.

Finally, XCSS is wrong, is it cross site scripting only. if we go down the path of giving every single attack method an acronym then I want to claim IXSS (which is image cross site scripting [think IE]). Also what about RXSS (Redirect cross site scripting) or FXSS (Flash cross site scripting) etc… but you get my idea.

Still, i look forward to your work on persistant xss via css (if possible).

Just because someone creates a list of vectors doesn’t mean that someone can’t post new ideas of exploiting it.

I was going to continue this post with information about exploiting different browsers at once and rewriting urls and changing content in Opera. But hey the cheatsheet apparently tells all.

Please direct me to the place in the cheatsheet where it mentions insertRule? I’ve checked but I couldn’t find it.