XSS in ParticleSoft Wiki v1.0.2
Luny just described an example of XSS using a style sheet. He’s pointed out something wize that I only go over in passing on the XSS Cheat Sheet, which is that STYLE attributes are not bound by any tag, in fact, they aren’t bound by any tag that exists. Something as weird as <ZZZ will work just as well as <SPAN. In this example he used what was allowed (a BR tag) and included a style.
Internet Explorer decided to include JavaScript in CSS because it helps when you are deciding on how wide widths of pages are or when something moves a layer can move with it, etc. That’s great, but it definitely opens a pretty huge attack vector. Additionally, CSS in particular is troublesome to parse apart. Even more so than traditional HTML, because it’s semantics vary so greatly between browsers, and CSS comments are notorously confusing (and act different depending on which version of IE you are using).
Ultimately, it’s a vector that will become more and more prevalant, I believe. I don’t think Microsoft has any intention of closing that vector. So as long as the style attribute is allowed, this will continue to happen. Good for auditors, bad for webmasters and the users of the websites they run.
June 6th, 2006 at 2:26 pm
Yeah, I’ve noticed that you can get comments in everything except the CSS name (i.e. body { }) and javascript:,
and I had almost completely forgot the
blah:expression, (thanks for reminding me, luny!).
I’ve heard that Microsoft is changing this in IE 7 for Vista release, but I don’t have the beta so I can’t say for sure.
June 6th, 2006 at 2:51 pm
So far the major thing I’ve seen change in the IE7.0 beta is that it no longer supports the JavaScript directive inside of images. That’s a HUGE attack vector that should no longer be applicable. When I talked with the IE folks about it, they were unsure if it was a bug or if it was desired functionality to keep it broken.
They did recognize that it was a major vector for XSS, but they also thought it should work, so it was unclear if it was crippled on purpose or not. Ultimately, I’m don’t think it will work, based off of what I saw, unless they decide enough people are using it that it’s worth keeping it. I was only able to come up with one instance to show them of a valid benign use of the technology.
The problem is, since it is only supported in IE, it still doesn’t work for a good chunk of users. Really it’s not worthwhile to keep it around for a supportability/maintainability nightmare when it’s really only used for malicious intent these days anyway. So my bet is that it’s gone in the next version and beyond.
June 7th, 2006 at 3:32 am
np r0xes, but ty RSnake for showing us on the XSS Cheatsheet. I too wish I had a Vista beta so I could test this as well.