Can a CSS file contain malicious code?

D

dollar2018-10-24 08:06:16

css

dollar, 2018-10-24 08:06:16

For example, if you connect like this:

<link rel="stylesheet" href="http://evil.com/styles.css">

In particular, can the style attribute contain malicious code? That is, if I connect people unknown to me to the css site, can they access the data on the site? Maybe it's possible to somehow put the JS code in the styles? Or to ensure that data is sent from the site through an external URL in styles? Or something else?
<span style="..."> </span>

Reply

Answer the question

In order to leave comments, you need to log in

6 answer(s)

I

Ivan Bogachev, 2018-10-24
@dollar

For example, if you connect like this:
Using CSS, you can make an under- keylogger that will give information about what the user starts typing (repetitions of the same character no longer work).
You can send yourself information about where the user clicks - links, checkboxes, even the duration of the mouse over a particular object. You can see examples here . I myself have not tested all the ideas from there, but those that have been tested work. Actually, they like to use this whole garbage in letters, but no one bothers to implement it on the site.
You can mock the "disabling" of the buttons (for example, change pointer-events) or even hide some important blocks and users will not be able to use the site normally. For any store, this is a complete fail, as you understand. Moreover, unlike a complete deface, users may not even understand that something is wrong.

F

frees2, 2018-10-24
@frees2

No better or worse than any test file. Register on the php server to insert js there, for example.

A

Anubis, 2018-10-24
@Anubis

The only thing that can be malicious in a style file included via a link is its gigantic size.

A

Andrey Fedorov, 2018-10-24
@aliencash

Malicious code can contain css - encoded in base64, but it is not a trivial task to use it. At least your data on the server is not in danger. Users of the site are under theoretical threat.

K

Kirill Nesmeyanov, 2018-10-24
@SerafimArts

Inside css, you can embed JS for IE and FF.

body {
  behavior:url(script.htc);
}

// ....

<public:component tagname="xss">
   <public:attach event="ondocumentready" onevent="main()" literalcontent="false" />
</public:component>
<script>
function main() {
    alert("HTC script executed.");
}
</script>

body {
  -moz-binding: url(script.xml#mycode);
}

// ....

<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl" xmlns:html="http://www.w3.org/1999/xhtml">
    <binding>
        <implementation>
            <constructor>
                alert("XBL script executed.");
            </constructor>
        </implementation>
    </binding>
</bindings>

So in theory, any cookies without the http-only flags can go to a third party site.

K

krundetz, 2018-10-24
@krundetz

As with any software product, there may be bugs in the browser. For example errors leading to buffer overflows. Therefore, attackers can use css for these purposes, and any other content.