57

Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this? I know you can use style tags but what about stylesheets?

Improve this question

2 Answers 2

Reset to default
47

From the browser security handbook

The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.

... and after reading that, I find this on StackOverflow. See Using Javascript in CSS In Firefox, you can use XBL to inject javascript in a page via CSS. However, the XBL file must reside in the same domain, now that bug 324253 is fixed.

There is another interesting (though different from your question) way to abuse CSS. See http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html. Essentially, you misuse the CSS parser to steal content from a different domain.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I've heard of that handbook but didn't think it was worth a read. Now I do. Thanks for the answer. :) So IE8 doesn't support expression() in standards mode. (Just thought I'd mention)
I think none of these methods are available in up to date browsers and XBL is is abandoned with no browsers planning to implement. This would imply it's no longer possible to launch JavaScript from CSS.
7

The OWASP Mutillidae project has a Cascading Style Injection vulnerability example on page: http://localhost/mutillidae/index.php?page=set-background-color.php

Of course, you need to setup the env locally first. You can download and set it up on your localhost from the following link: https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project

Here is the relevant hint: https://github.com/webpwnized/mutillidae/blob/main/includes/hints/cascading-style-sheet-injection-hint.inc

Improve this answer

4 Comments

Don't know why downvote but the first link targets your localhost machine.
@Tomor It is an experimental environment and should be only used locally. I have added some explanations. Thanks!
Thanks for the pointer! The last link (to github) is however dead now.
@greg Thanks for pointing that out. I tried to find a replacement for the link but failed... I guess one could still be able to find the hint inside the application.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.