These docs are for v1.1. Click to read the latest docs for v1.2.

CSS Injection

Severity: Medium
Test name: CSS Injection
Summary

CSS injection is a security vulnerability where an attacker injects Cascading Style Sheets (CSS) code into a web application. This can lead to various risks, including visual distortions, cross-site scripting (XSS) attacks, website defacement. By exploiting CSS injection, an attacker can manipulate the appearance and behavior of a website, potentially compromising user data or executing unauthorized actions. Preventing CSS injection requires implementing secure coding practices, input validation, and output encoding to ensure the integrity and security of web applications.

Impact

Defacement: An attacker may use CSS injection to deface a website, change its content or appearance to promote their own agenda, spread propaganda, or cause disruption.

Data Leakage: CSS injection can be used as a stepping stone to extract sensitive information from the affected web application or its users. By manipulating the site's behavior, an attacker could trick users into revealing confidential data or exploit vulnerabilities in the underlying code.

Denial of Service (DoS): In some cases, injected CSS code can cause a web page to become unresponsive or render incorrectly, leading to a denial of service for legitimate users.

Location

The issue can be found in the UI.

Remedy suggestions

Input Validation and Sanitization: Validate and sanitize all user inputs, including data entered into input fields and submitted through forms. Use proper input validation techniques to ensure that only expected and safe data is accepted.

Output Encoding: Encode and sanitize user-generated content or dynamically generated content before displaying it on web pages. This helps prevent the execution of injected CSS code by treating the content as plain text rather than executable code.

Content Security Policy (CSP): Implement a Content Security Policy that specifies which sources are allowed to load content on your web pages. This can help prevent the execution of injected scripts, including CSS injection attacks.

Secure Development Practices: Follow secure coding practices, such as using parameterized queries and prepared statements to prevent injection attacks. Regularly update and patch software components, frameworks, and libraries used in your application to minimize the risk of known vulnerabilities.

Web Application Firewall (WAF): Consider deploying a WAF to monitor and filter incoming traffic to your web application. A WAF can help detect and block malicious requests, including those attempting CSS injection attacks.

Classifications
  • CWE-79
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References