Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS in CSS url() and font-family
Date: May 30, 2010 02:53PM

Hey all,

I'm currently researching ways to safely encode in all browsers URLs and strings in CSS found in HTML. For example,

* url(http://example.com) with backslash escaping of quotes and parentheses as \" and \) is insecure because Internet Explorer doesn't recognize those kinds of character escapes

* 'Font name' with backslash escaping of single quotes is insecure for the same reason.

I currently have the following scheme:

* Given a URL to insert into url(), check that it is properly URL encoded (in particular, a doublequote and backslash never occurs within it) and then place it as url("http://example.com").

* Given a font name, if it is strictly alphanumeric, it is safe to omit quotes. Otherwise, wrap in double quotes and replace '"' with '\22 ' (note trailing space) and '\' with '\5C ' (ditto).

Ways to break these schemes, or potentially valid names that are broken by the scheme on certain browsers, would be appreciated.

Thanks,
Edward

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: XSS in CSS url() and font-family
Posted by: sirdarckcat
Date: May 31, 2010 12:48AM

how do you treat new lines? and <>?


anyways.. browsers suck, if the page does any type of DOM interaction using cssText of innerHTML it will break..
something similar to this: http://heideri.ch/jso/#59 but inside styles.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: XSS in CSS url() and font-family
Posted by: LeverOne
Date: May 31, 2010 07:06AM

Quote

* 'Font name' with backslash escaping of single quotes is insecure for the same reason.

Here, you're wrong.
The string inside "url()" has this feature, but not the string 'font name'. Thus, you have a safe font name now (provided that there is no interaction with the DOM, as said sdc).

----------------------
~Veritas~

Options: ReplyQuote
Re: XSS in CSS url() and font-family
Date: May 31, 2010 12:02PM

sirdarckcat: Newlines are removed. <> is kept normal for inline CSS, and converted to \XX (hex code) escape for insertion into an actual stylesheet.

LeverOne: It looks like you're right. That's good to hear.

The DOM interaction bugs are pretty crazy. Thanks for the pointer.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: XSS in CSS url() and font-family
Date: May 31, 2010 11:10PM

If you're interested in testing this out, http://htmlpurifier.org/demo.php has the logic I described here.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote


Sorry, only registered users may post in this forum.