Wednesday, September 3rd, 2008

Xsstc: Cross-site scripting through CSS data

Category: Security

Wes Biggs has posted on Xsstc, his cross-site scripting solution that uses CSS to hide the data:

It turns out CSS leaks data in a very subtle way. Properties set by an external stylesheet (that is, one that is loaded using a LINK REL=”STYLESHEET” tag) are used to style the elements of the host page, and at runtime the page can introspect itself to see what styles have been applied. Most of these tend to be strictly prescribed data, such as background colours for block elements, or some multiple choice items, like left/center/right alignment for text. While you could conceivably come up with a binary (or ternary) system based on that, it would be a pretty nasty job to try to make those into a general-purpose data channel. Fortunately, there are a few places where CSS lets you specify essentially free-text attributes: image URLs.

To make this work, the server has to dynamically send out simple CSS data, with info encoded into it… e.g. note the ‘Hello World’

  1. #Xsstc {
  2.  background-image: url('about:blank#Hello%20World');
  3. }

To tie into the data, you just need to exec away via:


  1. Xsstc.exec('', showResponse)

You can see the test page to see it at work. An interesting hole indeed….

Posted by Dion Almaer at 5:37 am

3.7 rating from 18 votes


Comments feed TrackBack URI

So what? How could you exploit it?

Comment by alshur — September 3, 2008

The original myspace “samy” virus actually ran the script through the css expression().

Comment by antimatter15 — September 3, 2008

So, it seems that because of the proprietary IE-specific expression(), this technique isn’t any better than a tag in transferring information between two websites: the querying website must absolutely trust the site providing the data.

(This gets “fixed” in IE8b2 and standard mode, see

Anyway – before wide postMessage() adoption, Flash and crossdomain.xml might be the best we have. With all its holes.

Comment by nbr — September 21, 2008

Seems that nbr is right. It doesn’t appear to be better, but certainly an alternative. Good to know.

Comment by Fluege — October 30, 2008

Leave a comment

You must be logged in to post a comment.