1. Support Center
  2. Issue Definitions
  3. CSS injection (reflected)

CSS injection (reflected)

Description: CSS injection (reflected)

CSS injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting (XSS) vulnerabilities but often trickier to exploit.

Being able to inject arbitrary CSS into the victim's browser may enable various attacks, including:

  • Executing arbitrary JavaScript using IE's expression() function.
  • Using CSS selectors to read parts of the HTML source, which may include sensitive data such as anti-CSRF tokens.
  • Capturing any sensitive data within the URL query string by making a further style sheet import to a URL on the attacker's domain, and monitoring the incoming Referer header.

Remediation: CSS injection (reflected)

Ensure that user input is adequately escaped before embedding it in CSS blocks, and consider using a whitelist to prevent loading of arbitrary style sheets.

References

Vulnerability classifications

Typical severity

Medium

Type index (hex)

0x00501300

Type index (decimal)

5247744

Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Read more

Get Burp

Scan your web application from just $449.00

Find out more