Example code:
<!DOCTYPE html>
<html lang="en">
<head><title>XSS test page</title></head>
<body>
<p>
<?php
$style = htmlspecialchars($_GET['style']);
echo '<div style="'.$style.'">This is a style test</div>';
?>
</p>
</body>
</html>
Would it be possible to inject javascript code using nothing but a properly escapted html style attribute?
I have heard that it's possible to trigger XSS attacks through CSS (Source 1, Source 2).
I was wondering if this was possible through just the style attribute as well.
Example code:
<!DOCTYPE html>
<html lang="en">
<head><title>XSS test page</title></head>
<body>
<p>
<?php
$style = htmlspecialchars($_GET['style']);
echo '<div style="'.$style.'">This is a style test</div>';
?>
</p>
</body>
</html>
Would it be possible to inject javascript code using nothing but a properly escapted html style attribute?
I have heard that it's possible to trigger XSS attacks through CSS (Source 1, Source 2).
I was wondering if this was possible through just the style attribute as well.
Share Improve this question edited Mar 21, 2013 at 1:24 Charles 51.4k13 gold badges106 silver badges144 bronze badges asked Mar 20, 2013 at 23:08 OmnipotentEntityOmnipotentEntity 17.1k6 gold badges67 silver badges101 bronze badges 6-
I would imagine so. for example, if the unescaped
$stylewas$style = '"></div><script>alert('xss');</script><div style="'it would work – kennypu Commented Mar 20, 2013 at 23:16 -
It gets fed through
htmlspecialchars, that won't work. – OmnipotentEntity Commented Mar 20, 2013 at 23:17 -
2
is this purely for testing if something like that would be a possible XSS-vector only? Because one could definitely render your page unfunctional, for defacement, or (probably with another security-leak somewhere) use it for click-jacking with pure css. A real XSS-problem would exist in old browsers (like IE<8) for example using
url(:javascript)orexpression()– GNi33 Commented Mar 20, 2013 at 23:27 - 1 @OmnipotentEntity if the user would be on IE7 for example (which sadly is still used in corporations too much), I'd say YES. I've seen absolutely crazy ways for injecting JavaScript to outsmart input-validation that are still getting parsed correctly on IE7. Have a look at the OWASP cheat-sheet, sadly I'm not able to find the example-list anymore. – GNi33 Commented Mar 20, 2013 at 23:37
- 2 @OmnipotentEntity for great examples of JS-based attack-craziness, browse trough some articles on thespanner.co.uk Basically, a clever hacker will possibly find a way... edit: like this gem – GNi33 Commented Mar 20, 2013 at 23:43
2 Answers
Reset to default 9I already pointed this out in the ment-section of the question, but I think it fits better as an actual answer.
CSS
Apart from an actual XSS-threat, passing user-input to a style-tag on your page opens op a whole set of other opportunities for attackers, some by just using plain css.
By setting the element to position: absolute;, one could overlay your whole page with it. This could be used to just render it unusable (with opacity:0; for example) or an attacker could use it for a defacement of the whole page. By using CSS3-properties like :before and :after, they are even capable of putting content on your page through CSS.
Another oute could be "click-jacking", this was actually already discussed on StackOverflow already.
XSS
When it es to pure XSS though, it would be hard to use this on modern browsers, still I wouldn't say that it's impossible. Anyhow, on older browsers like, for example, Internet Explorer 7, this could be used for an attack. There have been very creative XSS-Injections that where obfuscated and decoded in the craziest ways to outsmart input-validation, which would still succeed on several (now) old browsers because they were still parsing it. Matters got a lot better on modern browsers considering this.
Additionaly, there where functions like expression() and background-image:url, which made script-execution possible in CSS for old versions of Firefox, IE7 and older and probably some other browsers.
The OWASP XSS Prevention cheat sheet actually lists an example, where these functions are used in style - tags and style - attributes.
Scriptless Attacks (might work on modern browsers too!)
Putting old browsers and XSS aside, there still are other ways that may be applicable here, mostly in the form of "Scriptless Attacks". Going into detail would blast the scope here, but there is a great presentation on this topic, providing several ways and good examples on how even modern browsers could be affected. Another example would be this blog post where CSS was used for Cross Site Request Forgery. (a big thanks to @BenjaminGruenbaum for providing the links)
Finally, for a great insight on how crazy clever attackers can get when it es to script-insertion, I remend browsing http://www.thespanner.co.uk/. For example, there's even a pretty wild example of XSS on a style-attribute, stated to work on "on IE7 and Firefox (no version given)".
So, watch out really well when doing things like that, people might still find a way...
It depends on the browser. For example IE had scripting within CSS and style tags via the expression keyword. Thankfully this went away in IE8.
From my limited PHP knowledge what you are doing is fine; htmlspecialchars() worksas you use it for an attribute value surrounded by quotes. If you leave the quotes off and did <div style='.$style.'> then you are in for a world of trouble.