Is it possible to be attacked with XSS on style tag which having inline styling?

Question

Example:

<!DOCTYPE>
<html lang="en">
    <head>
        <title>XSS test</title>
        <style>
        div {
            background-color:red;
            height:100px;
            width:100px;
        }
        </style>
    </head>
    <body>
        <div></div>
    </body>
</html>

Would it be possible to inject JavaScript code using inside style tag? I have heard that it's possible to trigger XSS attacks through CSS.

This example is static, so there is no possibility to attack it with XSS. — Elon Than, Oct 30 '13 at 07:19
Example of attacks: http://stackoverflow.com/questions/4546591/xss-attacks-and-style-attributes?rq=1 — Chris Hayes, Oct 30 '13 at 07:24

score 4 · Answer 1 · answered Oct 30 '13 at 15:16

Yes, JavaScript can be executed even through CSS thanks to URL support in the latter. In general, you can execute JavaScript through any mechanism that allows you to specify URLs because of the javascript: and data: pseudo-URLs. As result there are numerous cross-site scripting vectors that work through CSS. For example:

<style>p[foo=bar{}*{-o-link:'javascript:alert(1)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>

More of them can be found on Mario Heiderich site http://heideri.ch/jso/#css

Is it possible to be attacked with XSS on style tag which having inline styling?

1 Answers1