CSS 样式表中的跨站点脚本
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3607894/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross Site Scripting in CSS Stylesheets
提问by Johnny
Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this? I know you can use style tags but what about stylesheets?
是否可以在 CSS 样式表中使用跨站点脚本?例如,参考样式表包含恶意代码,你会怎么做?我知道你可以使用样式标签,但是样式表呢?
采纳答案by Sripathi Krishnan
From the browser security handbook
来自浏览器安全手册
The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.
JavaScript 执行的风险。作为一个鲜为人知的特性,一些 CSS 实现允许 JavaScript 代码嵌入到样式表中。至少有三种方法可以实现这个目标:通过使用 expression(...) 指令,它能够评估任意 JavaScript 语句并将它们的值用作 CSS 参数;通过在支持它的属性上使用 url('javascript:...') 指令;或者通过调用特定于浏览器的功能,例如Firefox的-moz-binding 机制。
... and after reading that, I find this on StackOverflow. See Using Javascript in CSSIn Firefox, you can use XBLto inject javascript in a page via CSS. However, the XBL file must reside in the same domain, now that bug 324253 is fixed.
...阅读后,我在 StackOverflow 上找到了这个。请参阅在 CSS 中使用 Javascript在 Firefox 中,您可以使用XBL通过 CSS 在页面中注入 javascript。但是,XBL 文件必须位于同一个域中,现在错误 324253 已修复。
There is another interesting (though different from your question) way to abuse CSS. See http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html. Essentially, you misuse the CSS parser to steal content from a different domain.
还有另一种有趣的(尽管与您的问题不同)滥用 CSS 的方式。请参阅http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html。本质上,您滥用 CSS 解析器从不同的域窃取内容。
回答by ZillGate
The OWASP Mutillidae project has a Cascading Style Injection vulnerability example on page: http://localhost/mutillidae/index.php?page=set-background-color.php
OWASP Mutillidae 项目在页面上有一个 Cascading Style Injection 漏洞示例:http://localhost/mutillidae/index.php?page=set-background-color.php
Of course, you need to setup the env locally first. You can download and set it up on your localhost from the following link: https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project
当然,您需要先在本地设置 env。您可以从以下链接下载并在您的本地主机上进行设置:https: //www.owasp.org/index.php/OWASP_Mutillidae_2_Project
Here is the relevant hint: https://github.com/hyprwired/mutillidae/blob/master/includes/hints-level-1/cascading-style-sheet-injection-hint.inc
这是相关提示:https: //github.com/hyprwired/mutillidae/blob/master/includes/hints-level-1/cascading-style-sheet-injection-hint.inc
回答by Haim Evgi
yes its call Xsstc, read more in this article:
是的,它的调用Xsstc,在这篇文章中阅读更多:
http://www.tralfamadore.com/2008/08/xsstc-cross-site-scripting-through-css.html
http://www.tralfamadore.com/2008/08/xsstc-cross-site-scripting-through-css.html
