CSS Injection

CSS Injection occurs when an attacker can inject malicious Cascading Style Sheets (CSS) into a web application, often through unvalidated user input. This vulnerability allows attackers to manipulate the appearance of a website, steal sensitive information, or execute further attacks, such as clickjacking or credential theft. In some cases, CSS Injection can also be used to bypass content security policies (CSPs) or extract sensitive data through side-channel attacks.

Remediation

Strictly validate and sanitise all user-provided input to ensure it does not contain malicious CSS or HTML content.
Properly escape user inputs when injecting them into styles or attributes to prevent unintended CSS from being interpreted.
Implement a robust CSP to restrict the sources of CSS and prevent inline styles or external stylesheets from unauthorised origins.
Refrain from dynamically generating or injecting inline styles based on user inputs.
Disable potentially risky CSS features, such as custom properties or expressions, when not required.

Metadata

Severity: low
Slug: css-injection

CWEs

838: Inappropriate Encoding for Output Context

OWASP

A7:2017: Cross-Site Scripting (XSS)

Available Labs

Open Python labs in SecDim Play for this vulnerability.

easy

Calculator.py

Python Easy Django

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.