I thought I’d continue the theme of experimenting with XSS and trying different things, I haven’t seen this written about anywhere so here goes. The idea is using CSS as a XSS payload, this can be useful when filters allow some things but make it difficult to construct an attack.
I’ve decided to call it [...]
Sirdarckcat has been doing some work on my CSK kit and has improved it with new events and data handling improvements. This is great news because I haven’t had chance to work on it for a while with all the projects I’m involved in there’s just not enough time in the day. It’s still early [...]
Update…
Verisign have now fixed the vulnerability.
I’ve wrote about this before but I’m sure that some people might not know the risks involved, so I’ve created a demonstration of how to use CSS and iframe overlays to take any section of a web site and place it on any other web site. The user wouldn’t [...]
I’ve put together a little CSK demo, it’s still early stages yet and there’s quite a bit more I can do but I thought I’d share the code early because I’ve a lot on at the moment and it might be a while before the next update and also it’s really interesting stuff.
It just [...]
I’ve been doing some more experimenting with CSS (god help us) and I’ve found a way to successfully store and retrieve data via CSS without page refreshes. In case you don’t know, CSK is my CSS Scripting Kit I’m developing. I plan to release the kit soon once I’ve polished some features. This is really [...]
I’m currently in the process of developing a CSS Scripting Kit called “CSK”, this kit will allow you to perform scripting actions that normally would be reserved for Javascript. I believe the standards that browser manufacturers are adopting create major security holes and if they don’t either create new security policies to adapt to this [...]
I think the single most insecure feature of internet browsers today is iframes, you can do too much with them and I feel I’ve only touched the surface with the examples I’ve shown. My next tool shows how simple it is to scan your entire local network from the internet using iframes, CSS and absolutely [...]
As the browser manufacturers add new features they can sometimes overlook the security implications which can often seem minor. I’ve found two such features which I think could cause problems.
CSS overlays
Iframes can be manipulated to show only a small area of the screen, even worse you can actually overlay any other item over the top [...]
So, I’ve been working this evening. I’ve created my first couple of pages using the sIFR (scalable Inman Flash Replacement) technique.
For those of you who’ve not heard of it, sIFR allows you to replace specific targeted elements. Remember how you used to make headers for every h1/h2/h3 in Photoshop, trim to fit then do the [...]
Well, no actually, they’re not.
They’re bad, real bad. Whether it be a default font face or default colour, it’ll make the average design sneer. Same goes for a coder. Unfortunately, with CSS, we’re dealt a large hand of default values that different browsers treat slightly differently. I’m looking at you, Internet Explorer.
A good solid [...]