Userstyle xss vulnerable

makeamericagreat

Basically, userstyle description part supports full html syntax(except js), so it's pretty messed up.
Have a look at my style here: https://userstyles.org/styles/152947/don-t-enter-this-page

Pabli

I warn that there are loud screams if someone want see his style.

The worst part is that it is also in search with list view:


But we can use it to do cool things like gallery:
https://userstyles.org/styles/142082/dark-cyan-theme-userstyles-org-stylish


With this simple code we can show full image if it dont have required size:
<style>#preview_image_div{background-size:contain!important}</style>
https://userstyles.org/styles/139579/socialblade-dark-theme

100の人

I reported this very dangerous vulnerable to userstyles.org’s administrator on 2017-11-03.

However, it have not been fixed yet.

For example, attackers can steal passwords of userstyles.org’s users.

makeamericagreat

Pabli said:

I warn that there are loud screams if someone want see his style.

The worst part is that it is also in search with list view:


But we can use it to do cool things like gallery:
https://userstyles.org/styles/142082/dark-cyan-theme-userstyles-org-stylish


With this simple code we can show full image if it dont have required size:
<style>#preview_image_div{background-size:contain!important}</style>
https://userstyles.org/styles/139579/socialblade-dark-theme

Uhm, I made this style for demonstration purposes only and to show that Userstyles page can easily be vulnerable to people with bad intentions, so there isn't really anything in the style yet.

Jefferson

This is useful to know. I've been wanting to plaster banners on browser styles that need to be applied using userChrome.css and now I see how. E.g., https://userstyles.org/styles/119797/bookmarks-menu-in-multiple-columns

(I promise no passwords are stolen in that page.)

But I don't want to minimize the concern that fake forms pose a serious threat.

stonecrusher

decembre

About :

Jefferson said:

This is useful to know. I've been wanting to plaster banners on browser styles that need to be applied using userChrome.css and now I see how. E.g., https://userstyles.org/styles/119797/bookmarks-menu-in-multiple-columns

How you code the banner of this userstyles to add this sticky message ? :
"Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.
More information on creating a userChrome.css file: How to Create a userChrome.css File."
What editor you use for that?

Jefferson

decembre said:

How you code the banner of this userstyles to add this sticky message ? :
"Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.
More information on creating a userChrome.css file: How to Create a userChrome.css File."
What editor you use for that?

A lot of Edit Style / Save / tweak rules using the Inspector / repeat. This is now at the top of the Description field in the form:

<p style="position:fixed;z-index:999;top:0;right:0;margin-top:0;width:calc(70% - 32px);padding:16px;color:#000;background-color:#ff6;text-align:center;font-size:20px!important;"><b>Firefox 57 or Stylish 3.0 users: Expand the "Show CSS Code" panel and copy/paste into a userChrome.css file.<br>More information on creating a userChrome.css file: <a href="https://www.userchrome.org/how-create-userchrome-css.html">How to Create a userChrome.css File</a>.</b></p>

RickyV

That's pretty awful. I actually just found the example by mistake when looking for a style for google translate. This is as poor as web design goes. It's amazing that it was reported over a month ago and they haven't done anything yet.

decembre

Thanks;
It's very impressive !
I like to customize but with this possibility we can make very dangerous things.

One question:
How to see which code is used (typed) to have these effects?

i try with Firebug or the DevTools or the code source but i can't see them:

I see the effects (position: fixed etc...) like it was the original's site code but i don't see that's an addition used by an author and what code it inject in these part of the page.
By example , i don't see style="position:fixed; etc..."

Ps:
The hover effect on the gallery in the description of Dark Cyan Theme - UserStyles.org Stylish by Pabli is very fine !
Since we don't have the possibility to add Additional screenshots , because that's broken now, i want reuse it...
;-)

Jefferson

decembre said:

One question:
How to see which code is used (typed) to have these effects?

The normal source (Ctrl+u) does not include dynamic content; it's more of an empty shell. If you Select All (Ctrl+a), then the right-click context menu has View Selection Source. That will include all of the code injected by scripts. Not including the iframes, of course, you need to view those separately.

If you're using the Inspector, right-click the relevant element, Copy > Outer HTML and you can paste that into a decent text editor (e.g., Notepad++ or Atom) to view with some syntax coloring to better make sense of it.

100の人

This is the user-side workaround by the to protect your account and plain password.

1. Install the browser extension uBlock Origin
2. Open the dashboard
3. Select the “My filters” tab
4. Add |https://userstyles.org^$inline-script on a new line
5. Change your password just in case

• This causes problems such that a redirect after editing not works.

Setting check

Try open this URL, if you see an alert dialog, something is wrong.
https://userstyles.org/styles/153129/userstyles-org-xss-vulnerability-test

stonecrusher

You got one $inline-script too many there, |https://userstyles.org^$inline-script should work.

100の人

You got one $inline-script too many there, |https://userstyles.org^$inline-script should work.

Thank you. I corrected $inline-script$inline-script.

catcat520

|https://userstyles.org/styles/*^$inline-script

João.

Jefferson said:

This is useful to know. I've been wanting to plaster banners on browser styles that need to be applied using userChrome.css and now I see how. E.g., https://userstyles.org/styles/119797/bookmarks-menu-in-multiple-columns

This style is very good, the idea is great.
Is it possible to do the same thing with the sidebar bookmarks, making it wider and with two columns?

Jefferson

João. said:

Jefferson said:

https://userstyles.org/styles/119797/bookmarks-menu-in-multiple-columns

This style is very good, the idea is great.
Is it possible to do the same thing with the sidebar bookmarks, making it wider and with two columns?

Hmmmaybe. Since I also need to do something for the toolbar bookmarks menu button I will look at the sidebar as well.

100の人

catcat520 said:

|https://userstyles.org/styles/*^$inline-script

XSS attack is possible on https://userstyles.org/categories/global also.

I think that there is no omission and the users can ensure security if they block inline scripts on whole userstyles.org, but are there pages that they had better not block?

stonecrusher

I can't log in if I block the whole |https://userstyles.org/*^$inline-script, so it may be more reasonable to block
|https://userstyles.org/styles/*^$inline-script and
|https://userstyles.org/categories/*^$inline-script separately

decembre

Jefferson said:

decembre said:

One question:
How to see which code is used (typed) to have these effects?

If you're using the Inspector, right-click the relevant element, Copy > Outer HTML and you can paste that into a decent text editor (e.g., Notepad++ or Atom) to view with some syntax coloring to better make sense of it.

Thank for the tuto !

Should have an option to show these outer Outer HTML without that:
If we don't know they are here or on which element they are applied, it can be hard to find them.
I tested quickly on :
Dark Cyan Theme - UserStyles.org Stylish
and i can't find the right Outer HTML...

João.

Jefferson said:

Hmmmaybe. Since I also need to do something for the toolbar bookmarks menu button I will look at the sidebar as well.

Ok. Thank you.

100の人

stonecrusher said:

I can't log in if I block the whole |https://userstyles.org/*^$inline-script, so it may be more reasonable to block

|https://userstyles.org/styles/*^$inline-script and

|https://userstyles.org/categories/*^$inline-script separately

If I block the whole, the redirect after logging in not works but I opened my user page and I confirmed that I logged in successfully.

I tried to use a white list system but uBlock Origin seems not to support it about $inline-script option. Your way might be a good way.

Jefferson

decembre said:

Should have an option to show these outer Outer HTML without that:
If we don't know they are here or on which element they are applied, it can be hard to find them.

I think the easiest way to get close to the right spot in the Inspector is right-click > Inspect Element. Are we only looking at "Description" and "Notes from latest update"? I'm not sure it's possible to inject HTML elsewhere on the page.

Jefferson

Looks like this vulnerability was fixed. Unfortunately, the sledgehammer broke some innocent uses of inline CSS, but...

100の人

I confirmed that this vulnerability was fixed too and allowed HTML seem to be repaired to follow Format of style descriptions.