xss attack vector at "style" context for less.js

detail

less & sass suddenly came to my mind when researching about of css injection attacks. you know, both are css pre-processor so i think they don't support any client based operation. it is a mistake...

i saw less.js when visiting to http://lesscss.org/ page. less.js provides interpreting javascript code with backtick char in less code. so dom based xss vulnerability arises at this point.

i published it on twitter as the new attack vector for less.

shortening

also thanks to rakesh mane for the shortening!

payloads

`less.js` includes the regex pattern for `type` attribute of style element.  

var t=/^text\/(x-)?less$/;

so it is supporting these payloads:

<style type='text/less'>x{x:`alert(1)`}</style>
<style type='text/x-less'>x{x:`alert(1)`}</style>
comments powered by Disqus