XSS attacks and style attributes

Question

There are known Style Attribute XSS attacks like:

<DIV STYLE="width: expression(alert('XSS'));">

Or

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

All the examples I've seen use either expression or url functionality - basically something function like that require "(" and ")".

I'm thinking of following method of filtering style tags, I would check them using following (approximately) grammar:

identifier: [a-zA-Z_][a-zA-Z0-9\-]*
number: [0-9]+
string: '[a-zA-Z_0-9 ]*'
value : identifier | number | string | number + "(em|px)" | number +"%"
entry: identifier ":" value (\s value )*
style: (entry ;)*

So basically I allow ASCII properties with numeric values or very limited string values (basically for font names) not allowing using anything that looks like call.

The question is this good enough? Are there any attacks that may do something like that:

<DIV STYLE="this-is-js-property: alert 'XSS';">

And succeed?

Can anybody think of XSS vulnerability of such test?

To Make it clear

I need style attributes as many tools like TinyMCE use them and filtering harmless style attributes off would significantly hurt the functionality.

So I prefer pass common cases removing all things that may use @import, url, expression etc. And also make sure that basic css syntax is ok.

Answer

No it is not safe due to click-jacking vulnerability.

There are complex html whitelist filtering frameworks like https://github.com/owasp/java-html-sanitizer. A skilled attacker with enough time on his hand will always find a way to beat a blacklist filter. — Gellweiler, Nov 06 '18 at 19:48

Artyom · Accepted Answer · 2010-12-28T15:24:42.537

19

This does not work due to click-jacking vulnerability.

Example:

<a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a>

Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164

The code would be perfectly validated but it may cause serious damage.

So - rule of thumb use very strict white list or do not allow style attributes.

edited Dec 28 '10 at 15:24

answered Dec 28 '10 at 15:12

Artyom

31,019
21
127
215

Good point! I think we could use X-Frame-Options to defense click-jacking vulnerability nowadays. – alwaysday1 Jun 22 '16 at 03:46
1

But this is just as much of a vulnerability as a fake `a` tag saying "Log in here" with a malicious link or an `` that has a malicious src? – A Friend Nov 07 '19 at 19:39

score 3 · Answer 2 · answered Dec 28 '10 at 14:28

3

There is an open foundation out there called OWASP that helps you with this.

To answer your question Are there any attacks....; Yes!

There are tons of documentation there, and there are libraries you can use to correctly escape all XSS code.

Read the XSS prevention sheet.

answered Dec 28 '10 at 14:28

Shervin Asgari

23,901
30
103
143

8

Can you please more specific? Any **specific** attack? I've searched these sites and I hadn't found anything that would allow to do such attacks using css identifiers, and numbers only. That is why I'm asking. – Artyom Dec 28 '10 at 14:33
There are tons of way of encoding html. You can use HTML entities for one. The OWASP documentation has all the examples, and the libraries there correctly escape `all` possibilites – Shervin Asgari Dec 29 '10 at 08:05
HTML entities and other "wired" ways of encodings are not allowed as you can see in grammar only very strict subset of strings is allowed rejecting anything "unusual" – Artyom Dec 29 '10 at 12:32

James Drinkard · Answer 3 · 2014-12-04T15:32:20.913

Yes, you can use XSS attacks with Style attributes .

These styles were injected as we didn't have them declared in our tags in a particular jsp page but got through when audited by our security group:

<img src="<path here>" style=x:ex/**/pression
(alert(54163)) ".gif"

I'm thinking of using an HTTP filter to stop it here, but I'm still looking into it.

We also didn't have our hidden input fields proteccted either and this got through as well:

<input type="hidden" name="<variable name here>" value="<value here>"  style=x:ex/**/pression(alert
(54163)) "">

With a tool like Burpsuite, you can modify requests on the fly to inject XSS into tags like this. However, with the ESAPI API's from OWASP, you can add protection. We weren't using JSTL tags as it was old legacy code, so that was the best short term solution.

For the hidden input I used;

<input type="hidden" name="id" value="<%=ESAPI.encoder().encodeForHTMLAttribute(id)%>"

You can also use XSS with the js onload event in an img tag:

But in your case style and src attributes aren't properly escaped i.e. they can't go without quotation marks and properly encoded content. — Artyom, Nov 26 '14 at 05:23
The XSS that I show are ones that actually got through our js code. — James Drinkard, Nov 26 '14 at 23:42

score 0 · Answer 4 · answered Dec 28 '10 at 14:32

0

Security rule #1: If you are the least in doubt, presume there is a hole.

What are you trying to achieve? What functionality would cause CSS from an untrusted source?

answered Dec 28 '10 at 14:32

aaaaaaaaaaaa

3,630
1
24
23

In my case it's a discussion system, where people can post comments in CommonMark + HTML, and they might include `style=...` attributes. (I'm not the original-poster, I just have a similar "problem".) – KajMagnus Sep 17 '16 at 02:17

XSS attacks and style attributes

4 Answers4

Linked