Security: Smuggle arbitrary CSS inside cosmetic uBlock filters

[hackvertor]

Prerequisites

• I verified that this is not a filter issue (MUST be reported at filter issue tracker)
• This is not a support issue or a question
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
• The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
• I checked the documentation to understand that the issue I report is not a normal behavior

I tried to reproduce the issue when...

• uBO is the only extension
• uBO with default lists/settings
• using a new, unmodified browser profile

Description

uBlock origin allows you to use cosmetic filters to change content on the page. It allows some CSS but disallows making requests such as using background:url(). I've found a way to bypass these restrictions and execute arbitrary CSS:

*#$#* /* { font-family: ' background-color:red;'; }
*#$#* /*/ {background:url(https://hackvertor.co.uk/images/logo.gif)} */ { font-family: ' background-color:red;'; }

A specific URL where the issue occurs

https://portswigger-labs.net/

Steps to Reproduce

1. Go to my filters and add the following rule:

*#$#* /* { font-family: ' background-color:red;'; }
*#$#* /*/ {background:url(https://hackvertor.co.uk/images/logo.gif)} */ { font-family: ' background-color:red;'; }

2. Visit https://portswigger-labs.net or any website and you should see that the background image has changed for every element.

Expected behavior

You should not be allowed to make background requests inside cosmetic filters

Actual behavior

The background url request is made.

uBlock Origin version

1.38.7b15

Browser name and version

Chrome 95.0.4638.69

Operating System and version

MacOS 10.15.7

[u-RraaLL]

No need to make duplicates. If you think #1794 wasn't addressed, you should've followed up in there.

[gorhill]

It's fine reporting in a new issue, the issue is in a different code path.

[gorhill]

This is a clever trick, and I learned that querySelector('* /*') does not fail when the selector contains an open-ended comment.

[hackvertor]

@gorhill Wow cool you patched it so quickly. Could be a bypass:

*#$#* {background:url(https://hackvertor.co.uk/images/logo.gif);x{  background-color: red;}

[gorhill]

Interesting, I didn't expect that this would be parsed as a valid CSS declaration:

* {background:url(https://hackvertor.co.uk/images/logo.gif);x{color:red}

But it is, and I see the browser not failing at parsing the declaration and silently just discarding the x{color:red} part -- and not minding the unmatched {.

[gorhill]

Related: https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css