3

As part of our class project, we are studying the attacks that could be done using CSS Injection. In our threat model, attacker can manipulate any CSS file on the server. If attacker replaces original CSS file with a malicious CSS file and if the web-server sends this malicious CSS file to the client, can the attacker execute some code in the client?

For example, a CSS file contains information like this

#mw-indicator-mw-helplink a {
  background-image: url('images/help.png');
  background-image: linear-gradient(transparent, transparent), /* @embed */ url('images/help.svg');
  background-repeat: no-repeat;
  background-position: left center;
  padding-left: 28px;
  display: inline-block;
  height: 24px;
  line-height: 24px;
}

Can an attacker change the url to some malicious url, and execute some code in client?

satya
  • 141
  • 2
  • It's possible to execute javascript if you are using some old version of IE (should we really develop on this thought ?). On modern browser, I don't think you can do anything significant if you can only change some values like the url here. However, if you can change the whole css file, there are existing edge attack working on modern browsers. https://www.nds.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf – Xavier59 Dec 09 '18 at 14:54
  • code exec on old IE version : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3971 – Xavier59 Dec 09 '18 at 15:00
  • @Xavier59 Thanks for the reply. I am looking for attacks on modern browsers. – satya Dec 09 '18 at 15:08
  • Found this helpful https://security.stackexchange.com/questions/177962/xss-arbitrary-file-in-background-image-css-property?rq=1 – satya Dec 09 '18 at 15:19

1 Answers1

3

If attacker replaces original CSS file with a malicious CSS file and if the web-server sends this malicious CSS file to the client, can the attacker execute some code in the client?

Executing client-side code via CSS does not work in modern browsers.

I highly recommend taking a look at "Scriptless Attacks – Stealing the Pie Without Touching the Sill", "CSS: Cascading Style Scripting", and LiveOverflow's recent video "The Curse of Cross-Origin Stylesheets" if you are interested in learning more on scriptless attacks that rely on CSS.

Can an attacker change the url to some malicious url, and execute some code in client?

Actually executing malicious JavaScript via url() will only work in outdated browsers.

EdOverflow
  • 1,246
  • 8
  • 21
  • Thank you. May you spot the versions affected by the change please ? Are there still cases when ᴄꜱꜱ `expression()` can be used ? – user2284570 Jan 09 '19 at 19:07