list-style-image XSS
Again, boardering on the extreme esoteric of XSS examples, I ran into this element today that will allow JavaScript to render. It’s called the list-style-image CSS element. It’s so bizzare I’m not even sure how you could implement this effectively as it requires lots of HTML, and URL parameters inside style sheets. It works only in Internet Explorer rendering engine too. Ready for this one?
Now where would you use that? Well I guess I could come up with a theoretical example where you knew that there was a bullet on a page or could somehow insert it and you had some control over the styles on a page. Ugh. I have no idea, your guess is as good as mine, but it’s worth mentioning for anyone on the extreme edge. Good luck with this one!
August 15th, 2006 at 3:22 pm
You should be able to generalize this to any CSS property that allows a url() value. That means background-image, background, content, cursor, list-style and play-during (even more obscure). I agree though, injecting something like that is pretty difficult.
August 15th, 2006 at 3:39 pm
url() or expression() yes… I still feel like there are more of these out there, but I haven’t found a really great CSS manual. The best one I’ve found is on http://www.blooberry.com/indexdot/css/index.html and that’s just a pain to get through. And as thorough as it is, it still misses a lot of things that are outside the realm of traditional CSS. Never once have I found an XSS vector on those pages, they had to be invented, so the more thorough the reference the easier it is to cherry pick the issues.
August 15th, 2006 at 10:49 pm
I’ve seen dynamically generated css pages and there should be some vulnerable to XSS, but i’ve rarely seen any used in a practical attack vector.
August 16th, 2006 at 8:31 am
Haha, you’re reaching!
But yah, that’s theoretically possible to exploit if the CSS itself is dynamic/user specified in some way… annnnnd there happens to be a bullet on the page somewhere.