CSS Injection

CSS Injection

Abuse CSS
Category Attack

CSS Injection #


This group of XS-Leaks requires a CSS injection on the target page.

Among the different CSS injection vectors, the most noticeable one is the abuse of CSS Selectors. They can be used as an expression to match and select certain HTML elements. For example, the selector input[value^="a"] is matched if the value of an input tag starts with the character “a”. So, to detect if a CSS Selector matches the expression, attackers can trigger a callback to one of their websites using certain properties like background, @import, etc. 1 2. The matching process can easily be brute-forced, and extended to the full string.

Page content such as JavaScript can be leaked by abusing Font ligatures as a sequence of characters can have its own representation.

Some HTML tags that are normally hidden such as style and script can be rendered as text by applying a style like * { display: block; }. Hence, their content could be potentially leaked as well.

Larger text dimensions can result in the scroll bar being shown,
This scroll bar can have a custom style such as background: url() so that it makes a request to an attacker-controlled server when shown. 3

Defense #

  • Put attacker controled content in its own document this can be done using a iframe with the srcdoc attrbute. Optionaly include the sandbox attbute to isolate the content into its own origin.
  • Use a CSS inliner so global styles get converted.
SameSite Cookies (Lax) COOP Framing Protections Isolation Policies

References #

  1. CSS Injection Primitives, link ↩︎

  2. HTTPLeaks, link ↩︎

  3. Font ligatures, link ↩︎