4

Example code:

<!DOCTYPE html>
<html lang="en">
<head><title>XSS test page</title></head>
<body>
<p>
<?php
  $style = htmlspecialchars($_GET['style']);
  echo '<div style="'.$style.'">This is a style test</div>';
?>
</p>
</body>
</html>

Would it be possible to inject javascript code using nothing but a properly escapted html style attribute?

I have heard that it's possible to trigger XSS attacks through CSS (Source 1, Source 2).

I was wondering if this was possible through just the style attribute as well.

Charles
  • 50,943
  • 13
  • 104
  • 142
OmnipotentEntity
  • 16,531
  • 6
  • 62
  • 96
  • I would imagine so. for example, if the unescaped `$style` was `$style = '">
     – kennypu Mar 20 '13 at 23:16
  • It gets fed through `htmlspecialchars`, that won't work. – OmnipotentEntity Mar 20 '13 at 23:17
  • 2
    is this purely for testing if something like that would be a possible XSS-vector only? Because one could definitely render your page unfunctional, for defacement, or (probably with another security-leak somewhere) use it for click-jacking with pure css. A real XSS-problem would exist in old browsers (like IE<8) for example using `url(:javascript)` or `expression()` – GNi33 Mar 20 '13 at 23:27
  • @GNi33, I'm mostly interested in whether or not this is a bad enough idea that it could theoretically leak information from one person to another (like sending a cookie). I'm not worried specifically about defacement. I'm simply worried about security implications that could possibly allow one person to get information to another through the website if it's visited. – OmnipotentEntity Mar 20 '13 at 23:30
  • 1
    @OmnipotentEntity if the user would be on IE7 for example (which sadly is still used in corporations too much), I'd say YES. I've seen absolutely crazy ways for injecting JavaScript to outsmart input-validation that are still getting parsed correctly on IE7. Have a look at [the OWASP cheat-sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_attribute_using_a_comment_to_break_up_expression), sadly I'm not able to find the example-list anymore. – GNi33 Mar 20 '13 at 23:37
  • 2
    @OmnipotentEntity for great examples of JS-based attack-craziness, browse trough some articles on http://www.thespanner.co.uk/ Basically, a clever hacker will possibly find a way... edit: [like this gem](http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/) – GNi33 Mar 20 '13 at 23:43

2 Answers2

8

I already pointed this out in the comment-section of the question, but I think it fits better as an actual answer.

CSS

Apart from an actual XSS-threat, passing user-input to a style-tag on your page opens op a whole set of other opportunities for attackers, some by just using plain css.

By setting the element to position: absolute;, one could overlay your whole page with it. This could be used to just render it unusable (with opacity:0; for example) or an attacker could use it for a defacement of the whole page. By using CSS3-properties like :before and :after, they are even capable of putting content on your page through CSS.

Another outcome could be "click-jacking", this was actually already discussed on StackOverflow already.

XSS

When it comes to pure XSS though, it would be hard to use this on modern browsers, still I wouldn't say that it's impossible. Anyhow, on older browsers like, for example, Internet Explorer 7, this could be used for an attack. There have been very creative XSS-Injections that where obfuscated and decoded in the craziest ways to outsmart input-validation, which would still succeed on several (now) old browsers because they were still parsing it. Matters got a lot better on modern browsers considering this.

Additionaly, there where functions like expression() and background-image:url, which made script-execution possible in CSS for old versions of Firefox, IE7 and older and probably some other browsers.

The OWASP XSS Prevention cheat sheet actually lists an example, where these functions are used in style - tags and style - attributes.

Scriptless Attacks (might work on modern browsers too!)

Putting old browsers and XSS aside, there still are other ways that may be applicable here, mostly in the form of "Scriptless Attacks". Going into detail would blast the scope here, but there is a great presentation on this topic, providing several ways and good examples on how even modern browsers could be affected. Another example would be this blog post where CSS was used for Cross Site Request Forgery. (a big thanks to @BenjaminGruenbaum for providing the links)

Finally, for a great insight on how crazy clever attackers can get when it comes to script-insertion, I recommend browsing http://www.thespanner.co.uk/. For example, there's even a pretty wild example of XSS on a style-attribute, stated to work on "on IE7 and Firefox (no version given)".

So, watch out really well when doing things like that, people might still find a way...

Community
  • 1
  • 1
GNi33
  • 4,459
  • 2
  • 31
  • 44
1

It depends on the browser. For example IE had scripting within CSS and style tags via the expression keyword. Thankfully this went away in IE8.

From my limited PHP knowledge what you are doing is fine; htmlspecialchars() worksas you use it for an attribute value surrounded by quotes. If you leave the quotes off and did <div style='.$style.'> then you are in for a world of trouble.

OmnipotentEntity
  • 16,531
  • 6
  • 62
  • 96
blowdart
  • 55,577
  • 12
  • 114
  • 149