W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

javascript URIs on stylesheets/redirections

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Mon, 7 Dec 2009 13:31:06 +0800
Message-ID: <8ba534860912062131u70a05939g68490327c0c8db4e@mail.gmail.com>
To: public-web-security@w3.org
Here:
http://dev.w3.org/html5/spec/Overview.html#origin

2 comments.

It says:
If a script is a javascript: URL in a style sheet
    The owner is the URL of the style sheet.

That means javascript URIs will be allowed?

And.. are you aware that CSS doesn't hard-fail? (I mean.. it's not like JS
that will exit at the first syntax error).

something lilke:

http://www.google.com/search?for=something
  <!doctype html5>
  <html>
  ....
  <a href="
http://www.example.com/}body{background-image:url(javascript:alert('who am
I?'))}">link</a>

can be interpreted as a stylesheet..
<link href="http://www.google.com/search?for=something">

and execute the CSS, and according to that spec.. with www.google.com as
it's origin.. that's super dangerous!

This is a PoC (without the actual unimplemented xss):
http://attacker.sirdarckcat.net/xss.php?html_xss=%3Cstyle%3E@import%20url%28%27http://victim.sirdarckcat.net/xss.php?html_xss=}%250D%250Abody{background-image:url%28http://t0.gstatic.com/images?q=tbn:cOeIS9pmn6i8YM:http://epicfail/%29}%250D%250Ax{%27%29;%3C/style%3E

Just change the http;// with javascript (for when this get's implemented)
and you've got a cool nice UXSS..

The second one:
If a script is a javascript: URL that was returned as the location of an
HTTP redirect (or equivalent in other protocols)
    The owner is the URL that redirected to the javascript: URL.

This is NOT happening as of right now.. on any browser afaik. you can try!
http://tinyurl.com/jsredirect

And preview: http://preview.tinyurl.com/jsredirect

The only "redirect" that executes JS are Refresh (via headers or meta).. but
I wouldn't consider them an HTTP redirect.. per se..

I haven't reviewed the whole spec, but this stuff is disappointing..

Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China
Received on Monday, 7 December 2009 05:32:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT