This is English version of my The future of XSS attacks article.
In case if for Cross-Site Scripting attack it’s not possible to use any tags and angle brackets at the site, it’s possible to conduct XSS attack with using of tags’ properties. It can be style property, or different even handlers (or sometimes it’s possible to conduct attack via src property). For the attack it’s needed to use quotes (single or double ones, or sometimes even quotes isn’t required), to add new property to the tag, in which we managed to include the code.
At attack via style property the next methods are used (in which the code executes automatically at page opening):
1. Via expression(), which works only in browsers IE (before IE8).
2. Via background:url() or background-image:url(), which works only in browsers IE.
3. Via -moz-binding:url(), which works only in Mozilla Firefox and other browsers on Gecko engine (before Firefox 3).
Examples of attacks with expression() and -moz-binding you can see in case of vulnerabilities at www.ibm.com.
At attack via event handlers the next methods are used:
1. Via onMouseOver, onfocus, onblur, onselect, onchange, onclick and other events (in which the code executes at appropriate event).
2. Via onerror, onload, onunload (in which the code executes automatically at page opening, or its closing in case of onunload event).
A possibility of using of onerror, onload and onunload happens not very often, and other handlers trigger not automatically, so they are less popular at conducting of XSS attacks. The most often the attacks via style property are used.
But already in 2008 in Firefox 3 possibility of attack via -moz-binding was removed (it was partly removed - it’s possible to attack only with using of xml-files at the same site). Which I wrote about in article XSS attacks in Mozilla Firefox via styles. And in Internet Explorer 8, which released at beginning of 2009, support of expression() was removed. Support of javascript and vbscript URI in background-image and background-image also can be removed with time.
So in light of these events it became harder to conduct automated XSS attacks in new browsers in such conditions (when it’s not possible to use any tags and angle brackets). And as more widespread these versions of browsers become, the harder it’ll be to conduct XSS attacks in such conditions (so that they will be automated, without need for user to do some actions). From other side, such browsers as Opera, Chrome and other browsers completely resist to attacks via style property.
For solving of this task the technique MouseOverJacking can be used, which I already wrote about. This technique allows to conduct automated XSS attack. At that it’s cross-browser solution, which works in all browsers. Including in IE8 - at using of CSS (as in my PoCs) it allows to bypass IE8’s built-in protection against Clickjacking.
I.e. MouseOverJacking can be used not only for specific attacks, which were about in the article about this technique, but for wide variety of XSS attacks (instead of expression() and -moz-binding). At that the attack is fully automated, so the effectiveness of the attack is the same as in expression() and -moz-binding (and due to cross-browser it’s possible to attack even more users).
It’s possible to conduct such attacks as via MouseOverJacking, as via Clickjacking. But MouseOverJacking has higher effectiveness, because at Clickjacking attack the victim must to do a click (which can not always happen), but at MouseOverJacking it’s not needed to do any actions, only one move of the mouse (which will always happen).
Examples of PoC for Cross-Site Scripting vulnerabilities.
For reflected XSS:
http://site/script?param=%22%20style=%22width:100%;height:100%;display:block;position:absolute;top:0px;left:0px%22%20onMouseOver=%22alert(document.cookie)%22
For persistent XSS:
<a href="#" style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px" onMouseOver="alert(document.cookie)"> </a>
So I propose to use MouseOverJacking technique for wide variety of XSS attacks (in case of impossibility of using of the tags and angle brackets). And security professionals and attackers can use this technique for creating of PoC for XSS vulnerabilities or for conducting of XSS attacks.