CSS injection (reflected)
Description: CSS injection (reflected)
CSS injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting (XSS) vulnerabilities but often trickier to exploit.
Being able to inject arbitrary CSS into the victim's browser may enable various attacks, including:
- Using CSS selectors to read parts of the HTML source, which may include sensitive data such as anti-CSRF tokens.
- Capturing any sensitive data within the URL query string by making a further style sheet import to a URL on the attacker's domain, and monitoring the incoming Referer header.
Remediation: CSS injection (reflected)
Ensure that user input is adequately escaped before embedding it in CSS blocks, and consider using a whitelist to prevent loading of arbitrary style sheets.
- CWE-73: External Control of File Name or Path
- CWE-20: Improper Input Validation
- CAPEC-468: Generic Cross-Browser Cross-Domain Theft
Type index (hex)
Type index (decimal)