Cross Site Scripting in CSS Stylesheets

Question

Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this? I know you can use style tags but what about stylesheets?

Answer 1

From the browser security handbook

The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.

... and after reading that, I find this on StackOverflow. See Using Javascript in CSS In Firefox, you can use XBL to inject javascript in a page via CSS. However, the XBL file must reside in the same domain, now that bug 324253 is fixed.

There is another interesting (though different from your question) way to abuse CSS. See http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html. Essentially, you misuse the CSS parser to steal content from a different domain.

Answer 2

The OWASP Mutillidae project has a Cascading Style Injection vulnerability example on page： http://localhost/mutillidae/index.php?page=set-background-color.php

Of course, you need to setup the env locally first. You can download and set it up on your localhost from the following link: https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project

Here is the relevant hint: https://github.com/hyprwired/mutillidae/blob/master/includes/hints-level-1/cascading-style-sheet-injection-hint.inc