Open jawz101 opened 5 years ago
Well, there's obviously the vulnerability tester: https://www.mike-gualtieri.com/css-exfil-vulnerability-tester
But, I haven't personally encountered any sites with embedded malicious CSS. A while back the Zappos site used to trigger the plugin as they were filling in their star ratings exactly in the way that can be abused by the attack, but they have since changed these CSS rules. (Note: Zappos wasn't hacked, the way they were targeting selectors was the same as how the attack works, which is valid CSS.)
I have seen two bug bounties paid out that abused CSS Exfil to retrieve CSRF tokens, so kudos to those researchers.
But yes, if anyone does find a live example in the wild feel free to share it here. This is also a good bug for anyone to supply sites that trigger a false positive.
Someone has mentioned this before, but I've never been able to replicate. Just visited Ars right now and no rules are flagged by the plugin in my browser.
I think if the add-on had an option to send those url's to someone that causes it to trigger I would leave that option checked. This is such a set & forget add-on and I pin it to my overflow menu so I'll never actually notice if it ever get triggered.
It's suppose to be set and forget, so it's working :-) At this point most of the bugs and edge cases have been (hopefully) figured out, so it sits back and sanitizes things.
I've thought about adding a reporting option before, so maybe. Right now it doesn't send any data anywhere (as per the privacy policy I recently added).
Any chance you can grab the offending stylesheet and post it here? Or, provide a direct URL? We must be seeing different stylesheets.
Have no idea what to look for. https://gist.github.com/nobodysu/93934adb34a7e9f4c62fbc01c27f20f7 Any directions?
Thanks! This was the relevant line:
<link rel="stylesheet" type="text/css" media="all" href="https://cdn.arstechnica.net/wp-content/themes/ars/assets/css/main-af0123dfd5.css" />
But, that's the same stylesheet I'm being served and nothing triggers for me. I looked through the styles too and nothing looks like it should be triggering the rules. Are you perhaps singed in to the site? Maybe it's an artifact from another plugin?
I'm not signed in. Perhaps it's from extensions, but I don't know how to troubleshoot it. https://s.put.re/mJ2v2sLN.png
Oh! I was writing a reply and just realized I was only checking on Chrome. The plugin triggers on Firefox! OK. I have something to debug against now.
Another one on firefox: https://www.kinopoisk.ru/photos/
I finally was able to track down the reasons for the false positives on the reported URLs: https://arstechnica.com/ https://www.kinopoisk.ru/photos/ https://support.lenovo.com/us/en/
These will be fixed in the upcoming 1.0.18 release.
This subreddit seems to trigger the extension https://old.reddit.com/r/movies/
Is this just me or is there something weird in their CSS?
This subreddit seems to trigger the extension https://old.reddit.com/r/movies/
Is this just me or is there something weird in their CSS?
These are the rules being sanitized. No clue what they are for, but this is the exact type of CSS that the plugin is suppose to block.
CSS Exfil Protection blocked: [name="uh"][value$="a"] ~ a::before, [name="uh"][value$="b"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="c"] ~ a::before, [name="uh"][value$="d"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="e"] ~ a::before, [name="uh"][value$="f"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="g"] ~ a::before, [name="uh"][value$="h"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="i"] ~ a::before, [name="uh"][value$="j"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="k"] ~ a::before, [name="uh"][value$="l"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="m"] ~ a::before, [name="uh"][value$="n"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="o"] ~ a::before, [name="uh"][value$="p"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="q"] ~ a::before, [name="uh"][value$="r"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="s"] ~ a::before, [name="uh"][value$="t"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="u"] ~ a::before, [name="uh"][value$="v"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="w"] ~ a::before, [name="uh"][value$="x"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="y"] ~ a::before, [name="uh"][value$="z"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="0"] ~ a::before, [name="uh"][value$="1"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="2"] ~ a::before, [name="uh"][value$="3"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="4"] ~ a::before, [name="uh"][value$="5"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="6"] ~ a::before, [name="uh"][value$="7"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="8"] ~ a::before, [name="uh"][value$="9"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="a"] ~ a::before, [name="uh"][value$="b"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="c"] ~ a::before, [name="uh"][value$="d"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="e"] ~ a::before, [name="uh"][value$="f"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="g"] ~ a::before, [name="uh"][value$="h"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="i"] ~ a::before, [name="uh"][value$="j"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="k"] ~ a::before, [name="uh"][value$="l"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="m"] ~ a::before, [name="uh"][value$="n"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="o"] ~ a::before, [name="uh"][value$="p"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="q"] ~ a::before, [name="uh"][value$="r"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="s"] ~ a::before, [name="uh"][value$="t"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="u"] ~ a::before, [name="uh"][value$="v"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="w"] ~ a::before, [name="uh"][value$="x"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="y"] ~ a::before, [name="uh"][value$="z"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="0"] ~ a::before, [name="uh"][value$="1"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="2"] ~ a::before, [name="uh"][value$="3"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="4"] ~ a::before, [name="uh"][value$="5"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="6"] ~ a::before, [name="uh"][value$="7"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="8"] ~ a::before, [name="uh"][value$="9"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="a"] ~ a::before, [name="uh"][value$="b"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="c"] ~ a::before, [name="uh"][value$="d"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="e"] ~ a::before, [name="uh"][value$="f"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="g"] ~ a::before, [name="uh"][value$="h"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="i"] ~ a::before, [name="uh"][value$="j"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="k"] ~ a::before, [name="uh"][value$="l"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="m"] ~ a::before, [name="uh"][value$="n"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="o"] ~ a::before, [name="uh"][value$="p"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="q"] ~ a::before, [name="uh"][value$="r"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="s"] ~ a::before, [name="uh"][value$="t"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="u"] ~ a::before, [name="uh"][value$="v"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="w"] ~ a::before, [name="uh"][value$="x"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="y"] ~ a::before, [name="uh"][value$="z"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="0"] ~ a::before, [name="uh"][value$="1"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="2"] ~ a::before, [name="uh"][value$="3"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="4"] ~ a::before, [name="uh"][value$="5"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="6"] ~ a::before, [name="uh"][value$="7"] ~ a::before
CSS Exfil Protection blocked: [name="uh"][value$="8"] ~ a::before, [name="uh"][value$="9"] ~ a::before
EDIT: The code in question appears to be from this included stylesheet: https://b.thumbs.redditmedia.com/yAflD3vhTvu03aUNfUYM4Mpkt6-OnQfRlNEzp8EG2og.css
I don't think this code is malicious, but again, it's the type of code this plugin looks for to sanitize.
just fyi looks like I don't have it triggered because I have subreddit themes disabled in my user prefs on reddit. If I check the box to allow subreddit themes CSS exfil counts 18.
Discovered that this URL triggers the extension today due to this CSS. The CSS is not harmful, but is the exact type of rule the extension is designed to filter.
https://www.ifixit.com/cart/view
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="amex"] .card-value .credit-card-figure
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="dinersclub"] .card-value .credit-card-figure
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="discover"] .card-value .credit-card-figure
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="jcb"] .card-value .credit-card-figure
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="mastercard"] .card-value .credit-card-figure
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="visa"] .card-value .credit-card-figure
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="paypal"] .card-value .credit-card-figure
CSS Exfil Protection blocked: #content #card-form-wrapper [data-card-selection="amazon"] .card-value .credit-card-figure
For what it's worth, I've just went through all the links posted in this issue and, except for your test page, the plugin never reported any sanitation. I do have uMatrix in a pretty paranoid configuration and uBlock-Origin with default config. The only thing uMatrix allows by default is 1st party css. If I understand #29 correctly, none of that should matter.
For what it's worth, I've just went through all the links posted in this issue and, except for your test page, the plugin never reported any sanitation. I do have uMatrix in a pretty paranoid configuration and uBlock-Origin with default config. The only thing uMatrix allows by default is 1st party css. If I understand #29 correctly, none of that should matter.
Some of the first URLs reported in this thread are no longer reported since the sanitization routine was adjusted in release 1.0.18. But, some of the other ones still cause the plugin to sanitize. It should be noted that the plugin is doing exactly what it's suppose to be doing in these cases. It's not sanitizing malicious code, but the CSS specified in the included stylesheets is the type of code the plugin attempts to sanitize.
I don't know of any sites that trigger this extension so I figured maybe there should be a post about it.