Skip to content

Instantly share code, notes, and snippets.

@securityMB

securityMB/scrollbar.md

Created February 24, 2018 23:21
Show Gist options
  • Star 20 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save securityMB/d9e84bd3c7c245895360808360b9dc4e to your computer and use it in GitHub Desktop.
Save securityMB/d9e84bd3c7c245895360808360b9dc4e to your computer and use it in GitHub Desktop.
Download ZIP
Scrollbar
Raw
scrollbar.md

CSS Scrollbar attack

Image we have the following code:

<script>
var TOKEN="abcdef";
</script>

And we aim to steal the token using only CSS.

Idea

We'll detect the presence of scrollbars using only CSS-es which can be done on Chrome (this was covered by Eduardo in his blog post. My idea is, however, slightly different.

Suppose the token may consist only of characters: "01234567890abcdef". So in first step, we create two fonts. In both fonts all characters is of zero width except for:

  1. In first font, we define ligatures "0, "1, "2, "3, "4, "5, "6, "7 as very wide.
  2. In second font, we define ligatures "8, "9, "a, "b, "c, "d, "e, "f as very wide.

Then we create two iframes referencing those fonts. In the exemplary case, only the first iframe will get a scrollbar, which means that the first character of the token is one of "01234567".

Then we split "01234567" to two parts again and repeat the same steps as above until we know the exact character.

After that, we can steal the second character by defining ligatures for "a0, "a1", "a2" and so on.

Then it works just as shown here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment