Cascading Style Sheets (CSS) techniques, problems, bugs and fixes
CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn’t. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no “x” prefix or double zeros like [...]
I’ve continued my experiments with loops in CSS and tried to find a method to allow counter-increment through a loop. The technique uses a random seed to create a unique url each time (obviously the seed can be improved), it then uses meta refreshes to create the required history to increment the value. This technique [...]
Hacking CSS is a great challenge and can lead to interesting results, I’ve reignited my interest thanks to sirdarckcat and Thornmaker who have done some fantastic work. I wanted a way to do animation and loops in pure CSS and I think it’s sorta possible using meta refresh. I know meta refresh is slightly cheating [...]
Thornmaker has improved my CSS logic script which is much neater and requires less styles, good work Sirdarckcat has also created multiplication which is amazing stuff, so I had a bit of spare time and I decided to see if it was possible to create toggles in CSS with a visual appearance of a [...]
Inspired by the great work of Sirdarckcat on CSK2, I’ve decided to produce a POC which performs basic logic in pure CSS. The example simply adds the numbers together depending on which checkbox you check. My next experiment will be with loops and then we can start creating some really cool games in CSS [...]
Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
Credits update
The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one [...]
I thought I’d continue the theme of experimenting with XSS and trying different things, I haven’t seen this written about anywhere so here goes. The idea is using CSS as a XSS payload, this can be useful when filters allow some things but make it difficult to construct an attack.
I’ve decided to call it [...]
Sirdarckcat has been doing some work on my CSK kit and has improved it with new events and data handling improvements. This is great news because I haven’t had chance to work on it for a while with all the projects I’m involved in there’s just not enough time in the day. It’s still early [...]
Update…
Verisign have now fixed the vulnerability.
I’ve wrote about this before but I’m sure that some people might not know the risks involved, so I’ve created a demonstration of how to use CSS and iframe overlays to take any section of a web site and place it on any other web site. The user wouldn’t [...]
I’ve put together a little CSK demo, it’s still early stages yet and there’s quite a bit more I can do but I thought I’d share the code early because I’ve a lot on at the moment and it might be a while before the next update and also it’s really interesting stuff.
It just [...]