Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSS war challenge
Posted by: Gareth Heyes
Date: January 19, 2010 03:35AM

OK the aim of this challenge to break out of the untrusted zone using only CSS on the span specified NO HTML CAN BE USED. The idea of the game is to have some attackers and defenders. The attackers must make one move to break out of the zone and the defenders must fix it by blocking one property value only. The defenders must try and use the least possible rule values to block to gain extra points.

I've taken this code from somewhere and it's possible to break out of it using a certain rule.

<label>Trusted content: <input type="password"></label>
<div style="position:relative; overflow: hidden;width:500px;height:500px;background-color:#DBDBFF;">
Untrusted content.
<span style="YOUR STYLE HERE">Escaped untrusted  
content.</span>
</div>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS war challenge
Posted by: SAS
Date: February 17, 2010 12:27AM

Interesting Gaz. So only CSS? no JS? and does it needs to work in all browsers? most CSS3 is poorly supported yet (like: move-to for moving content for example), Opera excluded of course.

Options: ReplyQuote
Re: CSS war challenge
Posted by: Gareth Heyes
Date: February 17, 2010 01:35AM

yeah any browser pure css, if you choose a browser then you need to put it in the post then we can try and defend it

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.