Menu
There are known Style Attribute XSS attacks like:
<DIV STYLE="width: expression(alert('XSS'));"> Or
<DIV STYLE="background-image: url(javascript:alert('XSS'))"> All the examples I've seen use either expression or url functionality - basically something function like that require "(" and ")".
I'm thinking of following method of filtering style tags, I would check them using following (approximately) grammar:
identifier: [a-zA-Z_][a-zA-Z0-9\-]* number: [0-9]+ string: '[a-zA-Z_0-9 ]*' value : identifier | number | string | number + "(em|px)" | number +"%" entry: identifier ":" value (\s value )* style: (entry ;)* So basically I allow ASCII properties with numeric values or very limited string values (basically for font names) not allowing using anything that looks like call.
The question is this good enough? Are there any attacks that may do something like that:
<DIV STYLE="this-is-js-property: alert 'XSS';"> And succeed?
Can anybody think of XSS vulnerability of such test?
To Make it clear
I need style attributes as many tools like TinyMCE use them and filtering harmless style attributes off would significantly hurt the functionality.
So I prefer pass common cases removing all things that may use @import, url, expression etc. And also make sure that basic css syntax is ok.
Answer
No it is not safe due to click-jacking vulnerability.
277
Examples of reflected cross-site scripting attacks include when an attacker stores malicious script in the data sent from a website's search or contact form. A typical example of reflected cross-site scripting is a search form, where visitors sends their search query to the server, and only they see the result.
There 3 main types of cross-site scripting attacks are: Stored XSS. Reflected XSS. DOM-based XSS.
Non-persistent (reflected) XSS is the most common type of cross-site scripting. In this type of attack, the injected malicious script is "reflected" off the web server as a response that includes some or all of the input sent to the server as part of the request.
This does not work due to click-jacking vulnerability.
Example:
<a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a> Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164
The code would be perfectly validated but it may cause serious damage.
So - rule of thumb use very strict white list or do not allow style attributes.
127
There is an open foundation out there called OWASP that helps you with this.
To answer your question Are there any attacks....; Yes!
There are tons of documentation there, and there are libraries you can use to correctly escape all XSS code.
Read the XSS prevention sheet.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
