Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
JavaScript via CSS
Date: May 29, 2012 06:10AM

Hello,

are there still possibilities to execute JavaScript via stylesheets?

The common methods like expression or moz-binding are not working in modern web browsers. It seems that Mozilla completely removed the -moz-binding functionality.

Regards

Options: ReplyQuote
Re: JavaScript via CSS
Posted by: cr101
Date: June 13, 2012 10:08AM

I believe there are still some working vectors. Using "expression" with IE is definitely still an option.

Options: ReplyQuote
Re: JavaScript via CSS
Date: June 17, 2012 09:06AM

I can't really agree with you there. Dynamic properties (like "expression") are only working if the X-UA-Compatible header is set to an obsolete version of the IE or a wrong document type is used. Dynamic properties are turned off by default since version 8. I recently wrote an article about that issue: http://impuls23.edublogs.org/2012/06/06/css-expressions-do-work-again-in-ie9/



Edited 1 time(s). Last edit at 06/17/2012 09:06AM by Jean Pascal Pereira.

Options: ReplyQuote
Re: JavaScript via CSS
Posted by: Gareth Heyes
Date: June 18, 2012 07:12AM

The doc mode is inherited from the parent of the iframe so even if you have a standards mode page, if it's iframed from a quirks doc it will inherit that.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JavaScript via CSS
Date: June 25, 2012 07:49AM

I don't think so. Can't reproduce this in IE9. Do you have any proof for your statement?

Options: ReplyQuote
Re: JavaScript via CSS
Posted by: Gareth Heyes
Date: June 29, 2012 03:23PM

Ok well it used to :) clicking the compat mode button when the page is framed still works.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JavaScript via CSS
Posted by: LeverOne
Date: June 30, 2012 12:25PM

Perhaps it will be useful for you:

1) http://html5sec.org/#9
2) http://html5sec.org/#90
3) http://html5sec.org/#129

----------------------
~Veritas~

Options: ReplyQuote
Re: JavaScript via CSS
Posted by: Gareth Heyes
Date: June 30, 2012 04:17PM

@LeverOne

I think Opera stops javascript: now but allows data

<style>*{-o-link:'data:text/html,%3Cimg%20src%3D1%20onerror%3Dalert(1)%20%2F%3E';-o-link-source:current}</style>
<a xlink:href=123>test</a>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JavaScript via CSS
Posted by: LeverOne
Date: June 30, 2012 04:46PM

@Gareth Heyes

I added it to the description for #9 few days ago and your link to hackvertor.

----------------------
~Veritas~

Options: ReplyQuote
Re: JavaScript via CSS
Posted by: Gareth Heyes
Date: July 01, 2012 04:11PM

@LeverOne

Cool

Also if you wrap around the style with svg tags you can use the newer entites too such as &colon; etc which is pretty useful for bypasses since filters tend to think entities won't work in style blocks.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.