Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Less is a preprocessor language for CSS styling. It offers functionality, such as variables, to make CSS easier to use. In a situation, like Wordpress, where arbitrary styling can be added, the threat vector of this needs to be considered!

Prior to Less 3.0, JavaScript evaluation within the Less files was allowed. Using this, using an inline backtick to include JavaScript could be used to compromise the CSS preprocessor. In newer versions, the setting javaScriptEnabled must be set to true for this to work. Besides the obvious case for RCE, this makes for simple XSS if the env is isolated. All of this was prior research.

What else can be done? The import syntax can be used to import files that should NOT be allowed. For instance, AWS credentials is something that can be removed. Additionally, import supports URL based imports. As a result, SSRF is also possible.

Less also supports plugins, which can be included directory into the Less code from a remote source. Because an attacker can control the content of the plugin, this creates a great opportunity for compromise! If processed on the client side, it is XSS. if processed on the server-side, it is RCE. Wow, that's really bad!

The author took the liberty of taking this research and using it on codepen.io. The local file inclusion (LFI) bug worked like a share to leak the /etc/passwd and AWS credentials. Additionally, because it was processed on the server side, they got code execution on the box as well.

The more feature rich something is, the more likely it will be used to compromise you. Be careful how feature rich something is!