Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this? I know you can use style tags but what about stylesheets?
A:
yes its call Xsstc , read more in this article:
http://www.tralfamadore.com/2008/08/xsstc-cross-site-scripting-through-css.html
Haim Evgi
2010-08-31 09:56:15
I've seen that site, however it looks like it requires JavaScript.
Johnny
2010-08-31 09:59:36
yes you right it requires JavaScript
Haim Evgi
2010-08-31 10:16:08
Really I was looking for an alternative to expression() on FF
Johnny
2010-08-31 10:23:28
A:
From the browser security handbook
The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(...) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a CSS parameter; by using the url('javascript:...') directive on properties that support it; or by invoking browser-specific features such as the -moz-binding mechanism of Firefox.
... and after reading that, I find this on StackOverflow. See http://stackoverflow.com/questions/476276/using-javascript-in-css#answer-482088 In Firefox, you can use XBL to inject javascript in a page via CSS. However, the XBL file must reside in the same domain, now that bug 324253 is fixed.
There is another interesting (though different from your question) way to abuse CSS. See http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html. Essentially, you misuse the CSS parser to steal content from a different domain.
sri
2010-08-31 20:55:39
I've heard of that handbook but didn't think it was worth a read. Now I do. Thanks for the answer. :) So IE8 doesn't support expression() in standards mode. (Just thought I'd mention)
Johnny
2010-09-01 06:39:20