1. Support Center
  2. Issue Definitions
  3. CSS injection (stored)

CSS injection (stored)

Description: CSS injection (stored)

CSS injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting (XSS) vulnerabilities but often trickier to exploit.

Being able to inject arbitrary CSS into the victim's browser may enable various attacks, including:

  • Executing arbitrary JavaScript using IE's expression() function.
  • Using CSS selectors to read parts of the HTML source, which may include sensitive data such as anti-CSRF tokens.
  • Capturing any sensitive data within the URL query string by making a further style sheet import to a URL on the attacker's domain, and monitoring the incoming Referer header.

Stored CSS injection vulnerabilities arise when the applicable input was submitted in an previous request and stored by the application.

Remediation: CSS injection (stored)

Ensure that user input is adequately escaped before embedding it in CSS blocks, and consider using a whitelist to prevent loading of arbitrary style sheets.

References

Vulnerability classifications

Typical severity

Medium

Type index

0x00501301

Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Read more

Get Burp

Scan your web application from just $399.00

Find out more