An old bug that was first found back in 2006 came back to visit. This regression brought back very old XSS vectors, specifically, CSS based XSS. Originally this was marked low severity, but not soon after did I manage to turn it into a uXSS making it high severity. Here's how.
This is a very old XSS vector that affected mostly IE back in the early 2000s. This required the user to open the context menu and click on
'View image'. But what about other context menu items?
Mozilla employee Jonathan Kingston pointed out that the
View background image context menu item was affected as well. This meant that we can use pure CSS to perform an XSS!
One of the interesting behaviors of context menus is that once you open it, it will persist once you navigate to a different website. What's weirder is that if you, for example, open the context menu from
'a.com' and then the browser redirects to
'b.com', you will notice that when you click on
View source it will open
'view-source:b.com' which is the current window.
So, even though you open the context menu, it will execute on whatever website you are on despite origin. So to set this up, we ask a user to click a button that opens the cross origin 'victim' website. After that, we will redirect to our website populating navigation history with our target website. Finally, we listen to when a user opens the context menu using
'oncontextmenu' and execute
'history.back()' taking us to the target website. Once the user clicks
xssSetup.html (I am using
https://addons.mozilla.org/%00 to get a relatively quicker loding page, not required.)
Mozilla swiftly fixed this issue and so it no longer works. But it sure was a fun find.