Understand CSS hanging horses and corresponding prevention methods

web front end four thousand four hundred and ninety-four 13 years ago (2011-04-21)

With the popularization of Web 2.0, various web page special effects are used more and more, which also gives hackers an opportunity to take advantage of. They found that CSS code used to make special effects on web pages can also be used to hang horses. Ironically, the CSS hanging horse method actually evolved from the CSS code for preventing E hanging horse.

The means of hanging a horse on a website was very simple at the beginning, but with the wide application of Web2.0 technology, Blog, Wiki and other technologies, hanging a horse has also emerged. Among them, CSS hanging a horse can be said to be the favorite of hackers in the Web2.0 era. There are many famous websites that have been hacked by hackers with CSS.

It is suggested that you should be more thoughtful when clicking on unfamiliar links, and large websites may also be hung up. When you are surfing the Internet, it is better to use some safety aids with the function of trojan blocking web pages.

Why do hackers choose CSS as their hanging horse?

In the era of Web 1.0, the use of E hanging horse is not so much for hackers to better hide trojans, but rather a helpless choice. In simple HTML pages and websites that lack interactivity, hackers have very limited means to use. Even if they take complex camouflage, they can easily be seen through, which is not as direct and effective as E.

But now there are more and more interactive Web 2.0 websites, and blogs and SNS communities that allow users to set and modify have emerged. These highly interactive communities and blogs often provide rich functions and allow users to use CSS cascading style sheets to modify the website pages freely, which has promoted the popularity of CSS.


CSS is the abbreviation for Cascading Style Sheets. The main purpose of CSS is to separate the file structure (written in HTML or other relevant languages) from the file display. This separation can enhance the readability of the file and make the file structure more flexible.

When hackers use CSS to hang up horses, they often use netizens' trust in some big websites to hang CSS malicious code on blogs or other CSS supporting pages. When netizens visit this page, the malicious code will be executed. It's like going to a famous hospital with complete licenses. You trust the hospital very much, but the outpatient service you see has been outsourced by a quack doctor, and in the name of the hospital, you use your trust to cheat you successfully. But when you go to find someone to settle accounts afterwards, the hospital often looks innocent at this time. For safety engineers, the troubleshooting of CSS is a necessary common sense.

CSS Attack and Defense Record

There are many ways to attack CSS, but the mainstream way is to write malicious CSS code into personalized pages that support CSS functions through vulnerable blogs or SNS social networking website systems. Let's take a typical CSS hanging horse as an example.

Mode 1:


The main function of "background image" in CSS is to define the background image of the page. This is the most typical way for CSS to hang up a horse. This malicious code is mainly used to let the web trojan run quietly on the user's computer through "background image" and t code.

How to hang this piece of CSS malicious code onto a normal web page? Hackers can put the generated web trojan at their designated location, and then write the malicious code to the webpage of the hanging horse website, or to the CSS file called by the hanging horse webpage.


The main purpose of using the Body object element is to make the object no longer change the content of the entire web page document. Through the control of the Body object, the content or effect can be controlled within the specified size, just like using DIV objects to set the size precisely.

Mode 2:


background-image: url(t:open(" # "newwindow","border="1" Height=0, Width=0, top=1000, center=0, toolbar=no,menubar=no, scrollbars=no,resizable=no,location=no,status=no"))

The CSS hanging horse technology in mode 1 will appear blank pages at runtime, affecting the normal access of web page visitors, so it is relatively easy to find. However, this code in mode 2 uses the Open window of t to open a new hidden window, quietly run the new window in the background and activate the trojan page for accessing the webpage overflow, which will not affect the visitors to view the webpage content, so it is more hidden.

Anti network The server If you are hanged, you will usually be prevented Viruses Information such as software alarm. As the vulnerabilities are constantly updated, the types of hanging horses are changing all the time. It is often overlooked to find out whether the server is hanging horses through the reflection of the client. The correct approach is to often check the server log, find abnormal information, often check the website code, and use the webpage trojan detection system to troubleshoot.

At present, in addition to using the previous blocking pop-up window to prevent CSS from hanging up, you can also set CSS filtering in the web page to filter out CSS. However, if you choose to filter CSS, you should first pay attention to whether your related pages have CSS content, so we still recommend blocking to prevent CSS. The blocking code is as follows: