CSS Injection article (#123)

NDevTK · terjanq · web-flow · commit a2acf383ac4d · 2021-11-06T00:19:56.000+01:00
* Create css-injection.md

* Removed CSS Injection stuff

* Update css-injection.md

* Add Defense

* Add display: blank

* Update css-injection.md

* Update content/docs/attacks/css-injection.md

Co-authored-by: terjanq &lt;terjanq@users.noreply.github.com&gt;

Co-authored-by: terjanq &lt;terjanq@users.noreply.github.com&gt;
diff --git a/content/docs/attacks/css-injection.md b/content/docs/attacks/css-injection.md
@@ -0,0 +1,39 @@
++++
+title = "CSS Injection"
+category = [
+    "Attack"
+]
+abuse = [
+    "CSS"
+]
+menu = "main"
+weight = 2
++++
+
+## CSS Injection
+
+{{< hint warning >}}
+This group of XS-Leaks requires a CSS injection on the target page.
+{{< /hint >}}
+
+Among the different CSS injection vectors, the most noticeable one is the abuse of CSS Selectors. They can be used as an expression to match and select certain HTML elements. For example, the selector `input[value^="a"]` is matched if the value of an `input` tag starts with the character "a". So, to detect if a CSS Selector matches the expression, attackers can trigger a callback to one of their websites using certain properties like `background`, `@import`, etc. [^1] [^2]. The matching process can easily be brute-forced, and extended to the full string.
+
+Page content such as JavaScript can be leaked by abusing Font [ligatures](https://wikipedia.org/wiki/Ligature_(writing)) as a sequence of characters can have its own representation.
+
+Some HTML tags that are normally hidden such as style and script can be rendered as text by applying a style like `* { display: block; }`. Hence, their content could be potentially leaked as well. 
+
+Larger text dimensions can result in the scroll bar being shown,  
+This scroll bar can have a custom style such as `background: url()` so that it makes a request to an attacker-controlled server when shown. [^3]
+
+## Defense
+- Put attacker controled content in its own document this can be done using a iframe with the srcdoc attrbute.
+Optionaly include the sandbox attbute to isolate the content into its own origin.
+- Use a CSS inliner so global styles get converted.
+
+| [SameSite Cookies (Lax)]({{< ref "/docs/defenses/opt-in/same-site-cookies.md" >}}) | [COOP]({{< ref "/docs/defenses/opt-in/coop.md" >}}) | [Framing Protections]({{< ref "/docs/defenses/opt-in/xfo.md" >}}) |                  [Isolation Policies]({{< ref "/docs/defenses/isolation-policies" >}})                   |
+| :--------------------------------------------------------------------------------: | :-------------------------------------------------: | :---------------------------------------------------------------: | :------------------------------------------------------------------------------------------------------: |
+|                                         ❌                                          |                          ❌                          |                                 ❌                                 | ❌  |
+## References
+[^1]: CSS Injection Primitives, [link](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)
+[^2]: HTTPLeaks, [link](https://github.com/cure53/HTTPLeaks/)
+[^3]: Font ligatures, [link](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
diff --git a/content/docs/attacks/timing-attacks/execution-timing.md b/content/docs/attacks/timing-attacks/execution-timing.md
@@ -81,14 +81,6 @@ To make a timing measurement, an attacker can perform the following steps:
 
 Since no navigation actually occurs, steps 3 to 5 can be repeated to obtain more measurements on successive JavaScript execution timings.
 
-## CSS Injections
-
-{{< hint warning >}}
-This group of XS-Leaks requires a CSS injection on the target page.
-{{< /hint >}}
-
-Among the different CSS injection vectors, the most noticeable one is the abuse of CSS Selectors. They can be used as an expression to match and select certain HTML elements. For example, the selector `input[value^="a"]` is matched if the value of an `input` tag starts with the character "a". So, to detect if a CSS Selector matches the expression, attackers can trigger a callback to one of their websites using certain properties like `background`, `@import`, etc. [^6] [^7]. The matching process can easily be brute-forced, and extended to the full string.
-
 ### jQuery, CSS Selectors & Short-circuit Timing
 
 Attackers can abuse another interesting behavior of CSS selectors which is `short-circuit` evaluation of expressions. This expression is received in a `URL` hash and evaluated if the page executes `jQuery(location.hash)` [^3].
@@ -130,5 +122,3 @@ Regular Expression Denial of Service (ReDoS) is a technique which results in a D
 [^3]: A timing attack with CSS selectors and Javascript, [link](https://blog.sheddow.xyz/css-timing-attack/)
 [^4]: Security: XS-Search + XSS Auditor = Not Cool, [link](https://bugs.chromium.org/p/chromium/issues/detail?id=922829)
 [^5]: A Rough Idea of Blind Regular Expression Injection Attack, [link](https://diary.shift-js.info/blind-regular-expression-injection/)
-[^6]: CSS Injection Primitives, [link](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)
-[^7]: HTTPLeaks, [link](https://github.com/cure53/HTTPLeaks/)
