XSS attacks and style attributes

There are known Style Attribute XSS attacks like:

<DIV STYLE="width: expression(alert('XSS'));">

Or

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

All the examples I've seen use either expression or url functionality - basically something function like that require "(" and ")".

I'm thinking of following method of filtering style tags, I would check them using following (approximately) grammar:

identifier: [a-zA-Z_][a-zA-Z0-9\-]*
number: [0-9]+
string: '[a-zA-Z_0-9 ]*'
value : identifier | number | string | number + "(em|px)" | number +"%"
entry: identifier ":" value (\s value )*
style: (entry ;)*

So basically I allow ASCII properties with numeric values or very limited string values (basically for font names) not allowing using anything 开发者_运维百科that looks like call.

The question is this good enough? Are there any attacks that may do something like that:

<DIV STYLE="this-is-js-property: alert 'XSS';">

And succeed?

Can anybody think of XSS vulnerability of such test?

To Make it clear

I need style attributes as many tools like TinyMCE use them and filtering harmless style attributes off would significantly hurt the functionality.

So I prefer pass common cases removing all things that may use @import, url, expression etc. And also make sure that basic css syntax is ok.

Answer

No it is not safe due to click-jacking vulnerability.

This does not work due to click-jacking vulnerability.

Example:

<a href="http://example.com/attack.html" style="display: block; z-index: 100000; opacity: 0.5; position: fixed; top: 0px; left: 0; width: 1000000px; height: 100000px; background-color: red;"> </a> 

Found at: http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=164

The code would be perfectly validated but it may cause serious damage.

So - rule of thumb use very strict white list or do not allow style attributes.

There is an open foundation out there called OWASP that helps you with this.

To answer your question Are there any attacks....; Yes!

There are tons of documentation there, and there are libraries you can use to correctly escape all XSS code.

Read the XSS prevention sheet.

Yes, you can use XSS attacks with Style attributes .

These styles were injected as we didn't have them declared in our tags in a particular jsp page but got through when audited by our security group:

<img src="<path here>" style=x:ex/**/pression
(alert(54163)) ".gif"

I'm thinking of using an HTTP filter to stop it here, but I'm still looking into it.

We also didn't have our hidden input fields proteccted either and this got through as well:

<input type="hidden" name="<variable name here>" value="<value here>"  style=x:ex/**/pression(alert
(54163)) "">

With a tool like Burpsuite, you can modify requests on the fly to inject XSS into tags like this. However, with the ESAPI API's from OWASP, you can add protection. We weren't using JSTL tags as it was old legacy code, so that was the best short term solution.

For the hidden input I used;

<input type="hidden" name="id" value="<%=ESAPI.encoder().encodeForHTMLAttribute(id)%>"

You can also use XSS with the js onload event in an img tag:

Security rule #1: If you are the least in doubt, presume there is a hole.

What are you trying to achieve? What functionality would cause CSS from an untrusted source?