XSS Attack Vector at "style" Context with LESS

attack css injection less vector xss

Wednesday, October 19, 2016

LESS & SASS suddenly came to my mind when researching about of CSS Injection attacks. You know, both are css pre-processor so I think they don't support any client based operation. It is a mistake...

I saw less.js when visiting to http://lesscss.org/ page. less.js provides interpreting javascript code with backtick char in LESS code. So DOM based XSS vulnerability arises at this point.

I published it on Twitter as new attack vector for LESS.

XSS attack vector for LESS: a{b:`function(){alert(1)}()`;} pic.twitter.com/sukqRtKhIr
— mert (@merttasci_) 14 Ekim 2016

Also thanks to Rakesh Mane for the shortening!

@merttasci_ Shorter : x{x:`alert(1)`}
:)
— Rakesh Mane (@RakeshMane10) 15 Ekim 2016

less.js includes the regex pattern for type attribute of style element.

var t=/^text\/(x-)?less$/;

So it is supported these payloads:

<style type='text/less'>x{x:`alert(1)`}</style>
<style type='text/x-less'>x{x:`alert(1)`}</style>

Superbug

Information Security Community