Userstyle xss vulnerable
Basically, userstyle description part supports full html syntax(except js), so it's pretty messed up.
Have a look at my style here: https://userstyles.org/styles/152947/don-t-enter-this-page
Have a look at my style here: https://userstyles.org/styles/152947/don-t-enter-this-page
Comments
The worst part is that it is also in search with list view:
But we can use it to do cool things like gallery:
https://userstyles.org/styles/142082/dark-cyan-theme-userstyles-org-stylish
With this simple code we can show full image if it dont have required size:
<style>#preview_image_div{background-size:contain!important}</style>
https://userstyles.org/styles/139579/socialblade-dark-theme
I reported this very dangerous vulnerable to userstyles.org’s administrator on 2017-11-03.
However, it have not been fixed yet.
For example, attackers can steal passwords of userstyles.org’s users.
(I promise no passwords are stolen in that page.)
But I don't want to minimize the concern that fake forms pose a serious threat.
"Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.
More information on creating a userChrome.css file: How to Create a userChrome.css File."
What editor you use for that?
<p style="position:fixed;z-index:999;top:0;right:0;margin-top:0;width:calc(70% - 32px);padding:16px;color:#000;background-color:#ff6;text-align:center;font-size:20px!important;"><b>Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.<br>More information on creating a userChrome.css file: <a href="https://www.userchrome.org/how-create-userchrome-css.html">How to Create a userChrome.css File</a>.</b></p>
It's very impressive !
I like to customize but with this possibility we can make very dangerous things.
One question:
How to see which code is used (typed) to have these effects?
i try with Firebug or the DevTools or the code source but i can't see them:
I see the effects (position: fixed etc...) like it was the original's site code but i don't see that's an addition used by an author and what code it inject in these part of the page.
By example , i don't see
style="position:fixed; etc..."
Ps:
The hover effect on the gallery in the description of Dark Cyan Theme - UserStyles.org Stylish by Pabli is very fine !
Since we don't have the possibility to add Additional screenshots , because that's broken now, i want reuse it...
;-)
If you're using the Inspector, right-click the relevant element, Copy > Outer HTML and you can paste that into a decent text editor (e.g., Notepad++ or Atom) to view with some syntax coloring to better make sense of it.
This is the user-side workaround by the to protect your account and plain password.
|https://userstyles.org^$inline-script
on a new lineSetting check
Try open this URL, if you see an alert dialog, something is wrong.
https://userstyles.org/styles/153129/userstyles-org-xss-vulnerability-test
You got one $inline-script too many there,
|https://userstyles.org^$inline-script
should work.Thank you. I corrected
$inline-script$inline-script
.|https://userstyles.org/styles/*^$inline-script
Is it possible to do the same thing with the sidebar bookmarks, making it wider and with two columns?
I think that there is no omission and the users can ensure security if they block inline scripts on whole userstyles.org, but are there pages that they had better not block?
I can't log in if I block the whole
|https://userstyles.org/*^$inline-script
, so it may be more reasonable to block|https://userstyles.org/styles/*^$inline-script
and|https://userstyles.org/categories/*^$inline-script
separatelyShould have an option to show these outer Outer HTML without that:
If we don't know they are here or on which element they are applied, it can be hard to find them.
I tested quickly on :
Dark Cyan Theme - UserStyles.org Stylish
and i can't find the right Outer HTML...
I tried to use a white list system but uBlock Origin seems not to support it about $inline-script option. Your way might be a good way.